Nortel Networks 5100 User's Manual
Contents
1. E Export Cluster Configuration O Secret key provides a case sensitive entry field to create a secret key used to encrypt the settings TIP The secret key must be supplied again when the configuration is imported o Export is used to export the configuration TIP Depending on the browser type the administrator can have the option to send output to a file or to the display Output is sent to the display can be captured using Copy and Paste functions Import Cluster Configuration O File provides a field to type in a configuration file name to import o Browse provides access to a library of configuration files if available for selection of a configuration file to import O Secret key provides a case sensitive entry field TIP The import secret key is used to decrypt the configuration settings NORTEL 216383 D October 2005 98 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide O Import causes the BBI to restart immediately using the replacement configuration TIP No Apply command is required in conjunction with Import WARNING IMPORT CAUSES REPLACEMENT OF THE CURRENT CONFIGURATION AND ALL PREVIOUS CONFIGURATION SETTINGS BY THE IMPORTED CONFIGURATION ALL CHANGES PENDING AT THE TIME OF THE IMPORT ARE LOST THE REVERT COMMAND CANNOT BE USED TO RECOVER THE PREVIOUS CONFIGURATION Image Update forms Operation Image Update provides two forms E Packages se2. Figure 119 Initial Configuration Wizard form History Initial Configuration z X AM Logged as admin ey NSF Initial Configuration Wizard a G Add NSF Initial Configuration Configure Would you like to start the NSF Initial Configuration Wizard This wizard will walk you through the various configuration steps Start Initial Configuration Wizard 6 Skip Initial Configuration Wizard Previous Wizard NORTEL 216383 D October 2005 Browser Based Interface forms reference m 155 Nortel Switched Firewall Browser Based Interface Users Guide Add Wizard forms Use the Add forms to add or modify interfaces and bridges Add Interface Use the Add Interface wizard to add a new interface or modify an existing interface see Add Interface Wizard form Figure 120 Add Interface Wizard form History Add gt Interface 7 PARA Add Interface Wizard g Initial Configuration PS Add Add Interface Bip ieracd Bridge Sore Enter the first IP address for the interface 0 0 0 Please select an interface number 3 x Enter the second IP address for the interface 0 0 0 Enter the subnet mask for the interface 0 0 0 Enable or disable the interface disabled 7 Add Bridge Use the Add Bridge wizard to add a bridge to the configuration see Add Bridge Wizard form Figure 121 Add Bridge Wizard form History Add gt Bridge 7 i Initial Configuration we ie ne ENG Ad
3. E Facility provides the local facility number used to uniquely identify syslog entries E Action Click Delete to delete an active remote server Add New Remote Syslog Server displays the following fields E New Server IP specifies the IP address for the remote syslog server TIP Enter the IP address in dotted decimal notation E New Server Severity specifies the severity of messages logged The following selections are presented in the list O emerg O alert NORTEL 216383 D October 2005 Browser Based Interface forms reference m 43 Nortel Switched Firewall Browser Based Interface Users Guide crit err warning notice info 00 O 0 O debug E New Server Facility provides a list with the following local facility numbers used to uniquely identify syslog entries O auto O local0 O locall O local2 O local3 o local4 O locals O local6 O local7 E Click Update to submit the Remote Syslog Server changes to the pending configuration NORTEL 216383 D October 2005 44 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Cluster Logs ELA form Use the Cluster Logs ELA form to configure Event Logging API ELA see Cluster Logs ELA form ELA allows Firewall log messages to be sent to a Check Point SmartCenter Server for display through the Check Point SmartView Tracker E System E NSF 5100 Ticker B Cluster E Director s a Time E Cu
4. E Actions provides the following two options O Delete deletes the selected bridge O Modify provides a form to modify the selected bridge E Add New Bridge see Network Bridges Add New Bridge form on page 79 Network Bridges Add New Bridge form Use the Network Bridges Add New Bridge form to add a new bridge to the configuration Figure 52 Network Bridges Add New Bridge form Ce Switched Firewall leita History Network gt Bridges 2005 2 19 11 PM Logged as admin yfl sr s100 e Add Bridge aS Cluster 2 Network B ons Identifier 7 ol vlan Id 0 z B Ports Status disabled Available Selected aS Routes IP Address1 0 0 0 0 format 10 10 1 75 15 gt gt General Settings H DHCP Relay Ports 2 E interfaces IP Address2 0 0 0 0 format 10 10 1 76 A ae a Subnet Mask 0 0 0 0 E VRRP Bridge Ageing Time 300 1 65535 E GRE Tunnels Ga Status ina S S Firewall 9 Operation vid 7 Ga Administration Ipi 0 0 0 0 format 10 10 1 73 m Diagnostics 1p2 0000 AEI E Saree CE C Ni ORTEL axs Fields and buttons on the Network Bridges Add New Bridge form are as follows E General Settings O Identifier provides a list to select a numerical ID between 1 and 25 for the bridge Status provides a list to select enabled or disabled for bridge status IP Address provides an entry field to specify real IP address 1 for the bridge IP Address2 provides an entry field to specify real IP address 2 for the
5. 65535 E Area Indexes E Interfaces 2 GaSe update Back E Redistribute S DHCP Relay E Interfaces E Bridges E VRRP fA_ GRE Tunnale E Done Internet Dead a 65535 Fields and buttons on the Network Routes OSPF GRE Tunnels Modify form are as follows Identifier provides the numerical ID of the GRE tunnel Status provides a list with the following two choices O Enabled enables the GRE tunnel O Disabled disables the GRE tunnel E Area Index provides a list to select a value to set the OSPF area index to attach to the network for the current GRE Tunnel Browser Based Interface forms reference m 65 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Priority provides a list to set the GRE Tunnel priority used to elect a Designated Router DR and Backup Designated Router BDR for the area TIP A value of 0 specifies that the elected GRE Tunnel is DROTHER and cannot be used as a DR or BDR E Costl provides an entry field to set the cost of output routes for the first Firewall host TIP Cost is based on bandwidth Low cost indicates high bandwidth H Cost 2 provides an entry field to sets the cost of output routes for the second Firewall host Hello provides an entry field to set the hello interval in seconds TIP The value must be the same on all routing devices within the area E Dead provides an entry field to set the router dead interval value in seconds TI
6. Nortel Switched Firewall 5100 Series Release 2 3 3 Browser Based Interface User s Guide part number 216383 D October 2005 4655 Great America Parkway Santa Clara CA 95054 Phone 1 800 4Nortel http www nortel com Copyright Nortel Networks 2002 2005 All rights reserved This document is protected by copyright and distributed under licenses restricting its use copying distribution and decompilation No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks Inc Documentation is provided as is without warranty of any kind either express or implied including any kind of implied or express warranty of non infringement or the implied warranties of merchantability or fitness for a particular purpose U S Government End Users This document is provided with a commercial item as defined by FAR 2 101 Oct 1995 and contains commercial technical data and commercial software documentation as those terms are used in FAR 12 211 12 212 Oct 1995 Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein consistent with FAR 12 211 12 212 Oct 1995 DFARS 227 7202 JUN 1995 and DFARS 252 227 7015 Nov 1995 Nortel Networks Inc reserves the right to change any products described herein at any time and without notice Nortel Networks Inc assumes no responsibility or
7. faiaibinoi breiSiovobioot Revert Logout uelp Logged as admin g amp DHCP Relay Wizard DHCP Relay Status E initial Configuration a9 Add ey Interface ie di a ides DHCP Relay is disabled would you like to enable it disabled EMG Configure E Check Point Firewall Back CE E Routes Gateways DHCP Relay E OSPF NORTEL 158 m Browser Based Interface forms reference 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide OSPF Use the OSPF form to configure use of the Open Shortest Path First OSPF protocol see Configure OSPF Wizard form Figure 126 Configure OSPF Wizard form rover ino dtd fos History Configure gt OSPF x AM Logged as admin ra OSPF Configuration Wizard OSPF Status E interface OSPF is disabled would you like to enable it disabled BY Bridge B Configure E Check Point Firewall Back CED p Routes Gateways R DHCP Relay Remote Access Use the Remote Access wizard form to perform functions associated with remote access configuration such as add or delete client access lists see Remote Access Wizard form Figure 127 Remote Access Wizard form Nortel History Configure gt Remote Access o 05 11 08 05 AM Logged as sdmin Remote Access Wizard Client Access Settings initial Configuration PS Add E interface The following are the currently configured client access li
8. TIP Click the Firewall icon to go directly to the Administration Monitor Director s form see Figure 71 on page 103 O The Firewall host IP address and Management IP address MIP appear under the Firewall icon O The status icon for the firewall appears between the addresses TIP Click the Firewall icon to go directly to the Administration Monitor Director s form see Figure 71 on page 103 o When the status icon is green the firewall is operating and when the status icon is red the firewall is offline Current alarms provides the current status of all active alarms Basics of the Browser Based Interface m 21 Nortel Switched Firewall Browser Based Interface Users Guide Basic operation The Browser Based Interface for the Nortel Switched Firewall provides a variety of levels of control TIP To access the full functionality of the BBI you must log in as administrator username admin The BBI allows you to administer the NSF in the following manner see Table 1 Table 1 NSF administration NSF function Administration method Create a configuration Use the Config functions or Wizards Submit form changes Click Update or Submit on the form View pending changes Click global Diff Clear pending changes Click global Revert to cancel all pending changes Apply changes Click global Apply Up to ten simultaneous browser connections are allowed When multiple CLI or BBI sessions are open concu
9. o permanent the version that is currently running o old the previous version is displayed if at least one version has been uploaded and activated o unpacked a version downloaded but not activated TIP The code must be unpacked as part of the activation process O Actions provides the following selections o Activate reboots the Firewall host with the selected software version o Delete removes the selected software version from storage E Upload New Package O File provides a field to enter a software package file name O Browse provides navigation to the file location to select a file to upload O Submit uploads the selected software package Browser based software update A browser based software update differs from a CLI based software update because a TFTP or FTP server is not required to upload software To perform a browser based software update do the following E Use the browser to locate and download the software update pkg file from the Nortel web site to the Windows Desktop E Open the NSF BBI E Select the Operation Image Update Packages form and do the following O To locate and select the software pkg file click Browse O To load the latest software update on the Firewall click Submit NORTEL 216383 D October 2005 100 Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide NOTE Activating the software using the browser disables remote
10. on host critical Tue Sep 27 15 37 28 2005 10 10 1 1 has moved to critical Tue Sep 27 15 37 29 2005 critical 1077588912 degrees Celsius E Sender provides the IP address of the alarm source Cause describes the cause of the alarm E Severity provides the severity level of the alarm O Critical O Major O Minor O Warning E Time provides the time the event occurred E Action permits deletion of the selected alarm 104 m Browser Based Interface forms reference WioporBinv0 rbd too g Logged as admin A A NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Administration Monitor Syslog form The Administration Monitor Syslog form displays the system logs for the Firewall based on selected search criteria see Administration Monitor Syslog form Figure 73 Administration Monitor Syslog form a Nortel History Administration gt Monitor gt Syslog z Oct 4 2005 9 42 28 AM Logged as sdmin A A j Syslog Messages E System E NSF 5100 Ticker Log Details Cluster E Network Log ID CBD_01 X Firewall Operation Seon iE B Administration Host IP 10 10 1 1 7 ps Monitor Search String Quick Choice hd E Director s B Alarms Messages Per Page fo B Case Sensitive o B APC UPS Status Note An empty search string displays the more recent messages Search may take a vhile depending on syslog size and work load on system H
11. r Graph Alarms Properties r Communication Properties Status Polling Interval in seconds 30 Connect Timeout in seconds ho Alarms Polling Interval in seconds s0 Show Graph in Different Windows Read Timeout in seconds 180 Show Alarms In Different Window C Write Timeout in seconds 4180 Visible Ticks on the Graphs 30 History Count of Graphs 7200 The About page displays the NSF version and license information see NSF 5100 Ticker About form Figure 18 NSF 5100 Ticker About form NSF 5100 10 127 235 20 f About O Nortel Ticker for Swit Version tdo 2 3 3 0_R60 Copyright c Nortel Networks 2004 2005 All rights reserved This product includes code licensed from RSA security Inc Some portions licensed from IBM are available at http foss software ibm com icu4j This software incorporates JFreeChart C opyright 2000 2004 by Object NORTEL 216383 D October 2005 Browser Based Interface forms reference m 37 Nortel Switched Firewall Browser Based Interface Users Guide Cluster forms The Cluster menu includes the following categories of forms E Director s form E Time forms O Current Time see Cluster Time Current Time form on page 40 O NTP servers see Cluster Time NTP Servers on page 41 E Logs O Syslog see Cluster Logs Syslog form on page 42 O ELA see Cluster Logs ELA form on page 45 O Archive see Cluster Logs Archive form on page 47 E Warnings see Clust
12. 02 ie Download logs clierror log 3 logs erlerror isd a10 10 1 1 log 1 logs erlerror isd a20 20 1 1 log 1 logs erlerror isd a20 20 1 1 log 10 logs erlerror isd a20 20 1 1 log 11 logs erlerror isd a20 20 1 1 log 12 logs erlerror isd a20 20 1 1 log 13 logs erlerror isd a20 20 1 1 log 14 logs erlerror isd a20 20 1 1 log 15 logs erlerror isd a20 20 1 1 log 2 logs erlerror isd a20 20 1 1 log 3 logs erlerror isd a20 20 1 1 log 4 logs erlerror isd a20 20 1 1 log 5 logs erlerror isd a20 20 1 1 log 6 logs erlerror isd a20 20 1 1 log 7 Browser Based Interface forms reference m 145 Nortel Switched Firewall Browser Based Interface Users Guide The Diagnostics Logs form is divided into the following two sections E Log Information E Log Files Fields and buttons on the form are as follows E Log Information O Firewall Director provides a list containing the IP addresses of the Firewall Directors o Refresh displays the details of the selected Firewall Director E Log Files lists all of the log files on the selected Firewall O File Name displays the names of log files O Size displays the size of log files O Last Modification provides the date or most recent modification of the log files O Actions provides the following two selections o View displays the contents of a selected log file o Download downloads the contents of a selected log file to the local system NOTE Only the most recent 64 K of log information is displ
13. 200 1 D 100 100 100 2 D 150 150 150 2 B Dns M 255 255 255 0 M 255 255 255 0 B Ports H Routes Add New GRE Tunnel B DHCP Relay E General E Interfaces B Servers E Interfaces E Bridges H VRRP Eames Status 9 Firewall BE Operation Administration Diagnostics Fields and buttons on the Network GRE Tunnels form are as follows E Id specifies the numerical ID for the GRE tunnel in a range between 1 and 5 E Name specifies the name given to the GRE tunnel E Enabled provides the status of the GRE tunnel Physical Interface specifies the physical interface number for the GRE tunnel in a range between and 255 E Remote Addr specifies the remote IP address for the GRE tunnel E Host 1 Tunnel provides the tunnel source IP address destination IP address and IP Mask specified for host 1 E Host 2 Tunnel provides the tunnel source IP address destination IP address and IP Mask specified for host 2 TIP Configure host 2 when VRRP HA or Active Active is activated NORTEL 216383 D October 2005 82 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide E Actions provides the following two options O Delete deletes the selected GRE tunnel O Modify provides a form to modify the settings for the selected GRE tunnel E Add New GRE Tunnel see Network GRE Tunnels Add New GRE Tunnel form Network GRE Tunnels Add new GRE Tunnel form Use the Network GRE Tunnel
14. Archive form Figure 24 Cluster Logs Archive form Nortel Switched Firewall History Cluster gt Logs gt Archive z Oct 4 2005 7 55 49 AM Logged as admin amp A Sien E NSF 5100 Ticker TEA me a Cluster ia mone B Director s SMTP Server IP ooo E amp Y Time Rotate Size 0 kb Current Time a Interval Days 1 Hours 0 E NTP Servers TE B Logs B Syslog B ELA B me E Wamings E Network a Firewall 9 Operation Administration Diagnostics Fields and buttons on the Cluster Logs Archive form are as follows E Email specifies an e mail address for the administrator receiving the log E SMTP Server IP specifies the IP address of the SMTP server in dotted decimal notation TIP The SMTP Server must be configured to accept messages from the Firewall and a Check Point policy must be present to allow these messages through the Firewall E Rotate Size specifies the maximum size the log reached before rotation If this parameter is set at 0 then the size is ignored and only the log rotate interval is used Interval specifies in days and hours the interval at which the system log file is rotated E Update submits the form changes to the pending configuration Log file rotation Log files are rotated when the file reaches a specific size or age If the log file rotate size is set to 0 the file size is ignored and the rotate interval is used to determine log rotation TIP Set the rotate interval in days and h
15. Back returns to the Network Routes OSPF Area Indexes form without submitting changes to the pending configuration NORTEL 216383 D October 2005 Browser Based Interface forms reference m 61 Nortel Switched Firewall Browser Based Interface Users Guide Network Routes OSPF nterfaces form Use the Network Routes OSPF Interfaces form to display and change the OSPF Interfaces settings that are required to attach an IP network to an OSPF area see Network Routes OSPF Interfaces form Figure 37 Network Routes OSPF Interfaces form 7 a Switched Firewall History Network gt Routes gt OSPF gt Interfaces z B Syston OSPF Interfaces E NSF 5100 Ticker Enabled Area Index Cluster No o Sy Network No o DNS No o B Ports No o aS Routes B Static E Proxy ARP E Gateway 28 OSPF B General E Area Indexes E GRE Tunnels E Redistribute Fields and buttons on the Network Routes OSPF Interfaces form are as follows Id provides a numerical ID between 1 and 255 for the interface Enabled indicates OSPF Interfaces status as Yes or No Area Index sets the OSPF area index to attach to the network for the current IP interface Action provides a Modify button used to access a form to modify or update the OSPF Interfaces The Modify form displays a modified interface if interfaces are present see Network Routes OSPF Interfaces Modify form on page 63 NORTEL 216383 D October 2005 62 m Browser Based Interface forms refer
16. Browser Based Interface forms reference m 107 Nortel Switched Firewall Browser Based Interface Users Guide Administration Monitor CLI Logins form The Administration Monitor CLI Logins form provides information about CLI Login sessions on the Firewall see Administration Monitor CLI Logins form Figure 76 Administration Monitor CLI Logins form History Administration gt Monitor gt CLI Logins z CLI Login Sessions E NSF 5100 Ticker Logged In On om Cluster No current users logged in H Network Firewall Kill Sessions 9 Operation E amp Y Administration aS Monitor B Director s H Alarms E Syslog E APC UPS Status GUI Lock B E About Fields and buttons on the Administration Monitor CLI Logins form are as follows E Logged In On specifies the time the user logged in to the CLI E From specifies the IP address of the remote user H Kill Sessions terminates all CLI sessions 108 m Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Administration Monitor About form The Administration Monitor About form displays general product information about the Firewall see Administration Monitor About form Figure 77 Administration Monitor About form a ee Switched Firewall History Administration gt Monitor gt About z B System Syste E NSF 5100 Ticker Product NSF 5106 Version tdo 2 3 3 0_R60
17. CLI configuration tasks required to enable access to the BBI E Enable the BBI E Generate a temporary certificate if using HTTPS E Apply the changes E Use the access list to permit remote access to trusted clients E Use the Check Point SmartDashboard on your SMART Client to add a security policy that allows BBI traffic NORTEL 216383 D October 2005 12 m Introduction Nortel Switched Firewall Browser Based Interface Users Guide Enabling the BBI You can enable the BBI for HTTP HTTP and HTTPS or you can fully disable the BBI TIP The default setting for the BBI is enabled for HTTP access and disabled for HTTPS access NOTE HTTP is not a secure protocol All data including passwords between an HTTP client and the Nortel Switched Firewall is not encrypted and is subject only to weak authentication If secure remote access is required use HTTPS To explicitly allow remote BBI access enter the following commands in the CLI E To enable HTTP access gt gt cfg sys adm web http ena E To enable HTTPS access using SSL gt gt cfg sys adm web ssl ena Generating a temporary certificate if using HTTPS An SSL server certificate is required for HTTPS access to the BBI The Firewall can generate a temporary self signed certificate Use the following commands to create a default certificate gt gt SSL configuration certs serv gen lt Name gt lt Country code gt lt
18. Click Reboot to reboot the Firewall o Click Delete to delete the member host and reset the configuration to factory default settings Click Update to submit changes to the pending configuration Browser Based Interface forms reference m 39 Nortel Switched Firewall Browser Based Interface Users Guide Time forms The two Cluster Time forms are as follows E Cluster Time Current Time see Cluster Time Current Time form E Cluster Time NTP Servers see Cluster Time NTP Servers form on page 41 Cluster Time Current Time form Use the Cluster Time Current Time form to set the date and time for the cluster see Cluster Time Current Time form Figure 20 Cluster Time Current Time form O thos BI BIb ioio Nortel ie Br History Cluster gt Time gt Current Time 7 Oct 4 2005 7 48 22 AM Logged as sdmin E B Sysiain Date and Timezone E NSF 5100 Ticker Date BS Cluster 8 Director s Month 10 7 Day 4 x Year 2005 z TA Time Hour 7 E Minute 8 F a H NTP Servers B Logs E Wamings Timezone Network Timezone America Los_Angeles 5 Firewall Operation ECD E Administration Diagnostics The Cluster Time Current Time form is divided into the following two sections E Date E Timezone Fields and buttons on the Cluster Time Current Time form are as follows E Date fields O Month provides a list to select the current month O Day provides a list to select the current date O Year provides a
19. Disk 12 Current Alarms I Refresh this page every 30 z seconds Firewall Director s 10 10 1 1 Status MIP 10 10 1 10 1 2 CPU Temp Critical 2 2_ Motherhoard Temn Critical__10 10 1 1__ Motherboard temnerature on host 10 10 1 1 has mov Ezz gt 10 10 1 1 CPU temperature on host 10 10 1 1 has moved to crit amp NOTE A delay of a few seconds can occur while the default page collects data from all of the cluster components Do not stop the browser while loading is in progress 16 m Introduction NORTEL 216383 D October 2005 CHAPTER 2 Basics of the Browser Based Interface Interface components The Nortel Switched Firewall NSF Browser Based Interface BBI main page has eight component areas see Figure 3 Figure 3 NSF BBI main page Warning display area Forms display area History list Global command buttons Main page tabs I History System X Mar 23 200 7 39 PM Logged as acmin A A Warning GUI is currently not locked NSF Configuration D m main menu 5G Cluster Lock information is available on Administration gt Monitor gt GUI Lock page 1G Network LP 2G Firewall Go To Lock Page 9 Operation Administration EE Diagnostics EER ET TI I Refresh this page every 30 z seconds Director Status Firewall Director s CPU Load Director status Memory 9 10 10 14 Hard Disk status E MIP 10 10 12 Current
20. E Interfaces E Bridges B Preferred Master disabled x E GRE Tunnels Status Cm Garp Delay Interval 1 z Advance FailOver Check enabled Fields and buttons on the Network VRRP form are as follows E High Availability also called active standby provides a list with the following two selections O Disabled indicates that high availability VRRP is disabled NORTEL 216383 D October 2005 80 m Browser Based Interface forms reference NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide O Enabled indicates that high availability VRRP is enabled TIP Two Firewall hosts must be in the cluster to apply high availability VRRP High availability VRRP cannot be enabled when active active VRRP or ClusterXL is enabled Active Active provides a list with the following two selections O Disabled indicates that active active VRRP is disabled O Enabled indicates that active active VRRP is enabled TIP Two Firewall hosts must be in the cluster to apply active active VRRP Active active VRRP cannot be enabled when high availability VRRP or ClusterXL is enabled ClusterXL provides a list with the following two selections O Enabled indicates that ClusterXL is enabled TIP Two Firewall hosts must be in the cluster in order to apply ClusterXL ClusterXL cannot be enabled when high availability VRRP or active active is enabled O Disabled indicates that ClusterXL is disabled Advert
21. E Username specifies the name of the user for SNMP v3 usm authentication and encryption E Permission specifies the user permission type read trap or read trap Actions provides the following two selections O Delete deletes a user from the system O Modify permits modification of the selected user parameters E Add New User opens the Add SNMP User form see Administration SNMP USM Users Add SNMP User form on page 132 NORTEL 216383 D October 2005 Browser Based Interface forms reference m 131 Nortel Switched Firewall Browser Based Interface Users Guide Administration SNMP USM Users Add SNMP User form Use the Administration SNMP USM Users Add SNMP User form to add a new SNMP user Figure 98 Administration SNMP USM Users Add SNMP User form Logged as admin Add SNMP User B System B NSF 5100 Ticker i sername Gy Cluster Network Permission get 7 trap 7 Firewall Authentication Password Q Operation Authentication Password again Administration Encryption Password a Monitor Ga Users Encryption Password again B Access List E Telnet SSH Ga Web Update G3 Hg SNMP Both passwords must be set when a user is added General System Trap Hosts G MBs E Advanced Fields and buttons on the Administration SNMP USM Users Add SNMP User form are as follows E Username provides an entry field to specify the name of the user for SNMP v3 usm authentication encryption E Permis
22. Key size gt Do you want to generate a self signed certificate with the generated Key y where Name is the common name that appears on the certificate Country code is a two letter code US for the United States of America CA for Canada JP for Japan and so on and Key size is 512 1024 or 2048 bits For example gt gt SSL configuration certs serv gen Nortel US 1024 NOTE When you log in to the BBI with the temporary certificate you are warned that the certificate is not signed or authenticated Permit use of the temporary certificate only during initial configuration where the system is not attached to active networks that can be a source of attack Install a signed and authenticated certificate prior to connecting any untrusted network NORTEL 216383 D October 2005 Introduction m 13 Nortel Switched Firewall Browser Based Interface Users Guide Applying the changes gt gt SSL configuration apply Using the access list to permit remote access to trusted clients If you already configured the access list for Telnet or SSH you need not repeat the process Otherwise to permit access to only trusted clients see the Nortel Switched Firewall 2 3 3 User 5 Guide and Command Reference Part No 213455 L Adding a security policy that allows BBI traffic Use the Check Point SmartDashboard on your SMART Client to add a security policy that allows BBI traffic The firewall policy should be cons
23. Operation H Administration Diagnostics S Globals tel Switched Firewall Monitor System Description The summary status for the Firewall host Director Status Displays the CPU usage Memory usage and Hard Disk usage information 10 10 11 Status MIP 10 10 1 2 Forms area ee Firewall Directors lt The Firewall icon displays the host IP address and the Management IP MIP address The ball next to Status indicates the Firewall status Green The Firewall is up Red The Firewall is down Clicking on the Firewall icon displays the Monitor Host s page NORTEL ars The System View refreshes itself every 30 seconds to display the current status ap Ef eres E a internet 4 The context sensitive Help window consists of the following areas E Subpage menu Click Pages to display Help for the selected form Click Tasks to activate the task based Help system E Help topic menu Select a new Help topic using the menu on the left side of the Help window Each main menu item is listed along with the submenu items under the current selection Select a different menu item to display its submenu list Select any submenu item to display Help for that form E Load Click Load to display the form referenced on the bar NORTEL 216383 D October 2005 Basics of the Browser Based Interface m 29 Nortel Switched Firewall Browser Based Interface Users Guide E Forms area This area disp
24. Revert Changes form Use Revert to cancel pending configuration changes see Figure 10 Figure 10 Revert form amidina ios Nortel Switched Firewall m z History Network gt Ports x Oct 4 2005 7 30 28 AM Logged as admin Ae Revert Changes B System E NSF 5100 Ticker Are you sure you want to revert the current changes a Cluster AN etia Revert J Back B Firewall EE Operation 4G Administration Diagnostics The global Revert form includes the following items E Revert button Click Revert to cancel the pending configuration changes for the current session TIP Applied changes are not affected Pending changes made in other open CLI or BBI sessions are not affected See Figure 75 on page 107 Administration Monitor GUI Lock form To prevent conflicts any user logged in as administrator username admin can take control of the GUI lock before changing or creating a configuration E Back button Click Back to return to the previously viewed form without canceling pending changes N ORT E L Basics of the Browser Based Interface m 27 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Logout Use the global Logout form to terminate the current user session see Figure 11 Figure 11 Logout form Hhowerbinoribrerdiovozaiooii Nortel peel A revert Logout velp History Network gt Ports ha Oct 56 AM Logged as admin amp E System B NSF 5100 Ticker Are y
25. access to the Firewall Use the local console to re enter the Check Point License and reload the remote access policy to restore remote or browser access Operation Image Update Patches form Use the Operation Image Update Patches form to obtain information about existing patches and to install or uninstall patches see Operation Image Update Patches form Figure 70 Operation Image Update Patches form COOLA 10d iov Norte oou F History Operation gt Image Update gt Patches z Oct 4 2005 AM Logged as admin A a Patches E System E NSF 5100 Ticker Installed Patches Cluster File Name No patches currently installed 19 Operation Install New Patch Director s File Browse Configuration B Image Update E Packages 2G Administration Diagnostics The Operation Image Update Patches form is divided into the following two sections E Installed Patches E Install New Patch Fields and buttons on the form are as follows E Installed patches O File Name provides the file name of patches installed on the system O Action provides an Un install button to remove the selected patch E Install New Patch O File provides an entry field to record the name of a patch to install O Click Browse to view patch file names to select O Click Install to install the selected patch NORTEL 216383 D October 2005 Browser Based Interface forms reference m 101 Nortel Switched Firewall Browser Based Interf
26. administration see Administration Telnet SSH form Figure 85 Administration Telnet SSH form Nortel Switched Firewall History Administration gt Telnet SSH X j Gi rim Telnet SSH Settings E NSF 5100 Ticker Telnet enabled z SSH disabled z CLI Timeout 600 300 to 604800 seconds Operation E Administration r Update S Monitor a9 Users E General E SSH Users E Access List SESH SSH Key Generation The Administration Telnet SSH form is divided into the following two sections E Telnet SSH Settings E SSH Key Generation Fields and buttons on the form are as follows E Telnet SSH Settings O Telnet enables or disables administration through Telnet O SSH enables or disables administration through SSH O CLI Timeout sets the number of seconds a Telnet or SSH session can remain idle before automatic disconnection TIP Changes to the Firewall configuration that are not applied before the CLI times out will be lost O Update submits the form changes to the pending configuration m SSH Key Generation O Generate New Keys generates new SSH keys NORTEL Browser Based Interface forms reference m 117 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Web forms The Administration Web forms provide the following E Web HTTP administration E Creation and administration of self signed server certificates that allow the BBI to run under SSL E Administration of server
27. between the servers NORTEL 216383 D October 2005 Browser Based Interface forms reference m 41 Nortel Switched Firewall Browser Based Interface Users Guide Fields and buttons on the Cluster Time NTP Servers form are as follows E IP Address displays the IP address of an NTP server E Action if an NTP server is present a Delete button appears O Click Delete to delete the server E New NTP IP provides a field to configure a new NTP server TIP Use dotted decimal notation m Update submits the NTP server address changes to the pending configuration Logs forms The three Cluster Logs forms are as follows E Syslogs see Cluster Logs Syslog form E ELA see Cluster Logs ELA form on page 45 E Archive see Cluster Logs Archive form on page 47 Cluster Logs Syslog form Use the Cluster Logs Syslog form to specify remote system log servers and turn on local log debugging see Cluster Logs Syslog form Figure 22 Cluster Logs Syslog form History Guster sLogs gt Syslog Logged as sdmin A System Log Debug Messages disabled Source IP Mode auto E NSF 5100 Ticker B Cluster B Director s E amp Y Time E Current Time B NTP Servers Remote Syslog Servers Current Remote Syslog Servers IP Address Logging Severity Facility Action E Archive No remote syslog servers configured E Warnings Network e Firewall Q Operation Administration _ Diagnostics 42 m Browser Based Int
28. bridge Subnet Mask provides an entry field to specify the subnet mast for the bridge Oo OF 0 0 O0 Bridge Ageing Time provides an entry field to specify the bridge ageing time in seconds O Vlan Id specifies the numerical ID between 0 and 4094 for the VLAN NORTEL 216383 D October 2005 Browser Based Interface forms reference m 79 Nortel Switched Firewall Browser Based Interface Users Guide O Ports specifies the port number associated with the bridge ID E VRRP Settings O Vrid provides a list to select the numerical ID between 1 and 255 for the virtual router on the bridge O Ipl provides an entry field to specify virtual IP address 1 for the interface O Ip2 provides an entry field to specify virtual IP address 2 for the interface applied for VRRP Active Active O Update submits the changes to the pending configuration O Back returns to the Network Bridges form without submitting changes to the pending configuration VRRP form Use the Network VRRP form to view and configure the VRRP parameters for the cluster see Network VRRP form Figure 53 Network VRRP form Nortel Swi History Network gt VRRP z Oct 4 6AM Logged as sdmin A amp pe VRRP Settings E System NSF 5100 Ticker IA one High Availability disabled x luster S Network Active Active disabled x amp Dns ClusterxL disabled x E Ports Advertisement Interval 3 EE Routes Garp Broadcast Interval 2 x DHCP Relay
29. entry field for setting the end time filter E Events displays the information extracted from the event log file on the selected Firewall Director NOTE Only the most recent 64 K of event information is displayed NORTEL 216383 D October 2005 Browser Based Interface forms reference m 147 Nortel Switched Firewall Browser Based Interface Users Guide Audit Log form Use the Diagnostics Audit Log form to display the latest 64 K of the device audit log see Diagnostics Audit Log form Figure 112 Diagnostics Audit Log form History Diagnostics gt Audit Log z Audit Log E System Audit Log E NSF 5100 Ticker ES Cluster Firewall Director 101011 ED Ga Network Ga Firewall Operation Begin optional CC YY MM DD HH MM 55 Administration ena B5 Diagnostics B Logs B Events E Tech Support Dump amp Maintenance Ga System Commands Debug Time Frame optional CC YY MM DO HH MM 55 Auditing for 10 10 1 1 Fields and buttons on the Diagnostic Audit Log form are as follows E Firewall Director provides a drop down list containing the IP addresses of the Firewall Directors O Refresh displays the audit information for the selected Firewall Director E Time Frame provides two entry fields for setting the time filters for displaying audit information O Begin provides an entry field for setting the begin time filter O End provides an
30. field to specify the TCP port of the RADIUS server E Shared Secret provides an entry field to specify the shared secret used by the RADIUS server E Shared Secret again provides an entry field to confirm the Shared Secret E Update submits the changes to the pending configuration E Back returns to the Administration RADIUS page without submitting changes to the pending configuration 140 m Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide APC UPS form Use the Administration APC UPS form to configure settings for American Power Corporation Uninterrupted Power Supply APC UPS see Administration APC UPS form Figure 107 Administration APC UPS form Nortel Switched Firewall History Administration gt APC UPS X Oct 4 2005 10 35 39 AM Logged as admin ir APC UPS B System E NSF 5100 Ticker E Cluster E Network Status disabled z SNMP Community none S Firewall UPS Type usb Battery Level 5 E EQ Operation SNMP Host 0 0 0 0 format 10 10 1 75 Master IP Address 0 0 0 0 format 10 10 1 75 S Administration Monitor SNMP Port 161 amp Users 5 Access List Update E Telnet SSH Web H SNMP E SSH Keys B RADIUS a E Audit General Settings Fields and buttons on the Administration APC UPS form are as follows Status provides a list with the following two selections O Enabled enables the
31. format O VRRP Group provides a list for VRRP group 1 or 2 selection O Update submits the IP address changes to the pending configuration Network Routes Gateway form Use the Network Routes Gateway form to specify the default gateway for the Firewall see Network Routes Gateway form Figure 33 Network Routes Gateway form Nortel Sw wnes A EB System E NSF 5100 Ticker Gateway 10 127 235 1 format 10 10 1 75 0 0 0 0 to remove c a Routes Static E Proxy ARP iGatewayJ H OSPF DHCP Relay 5 Interfaces Bridges E VRRP E GRE Tunnels H Status Fields and buttons on the Network Routes Gateway form are as follows E Gateway provides an entry field to configure the gateway for the system TIP Use dotted decimal notation E Update submits the form changes to the pending configuration NORTEL 216383 D October 2005 58 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Network Routes OSPF forms Following are the categories of Network Routes OSPF forms E General see Network Routes OSPF General form Area Indexes see Network Routes OSPF Area Indexes form on page 60 Interfaces see Network Routes OSPF Interfaces form on page 62 GRE Tunnels see Network Routes OSPF GRE Tunnels form on page 64 Redistribute see Network Routes OSPF Redistribute form on page 67 Network Routes OSPF General form Use the Network Routes OSPF General fo
32. list to select the current year NORTEL 40 m Browser Based Interface forms reference 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide O Hour provides a list to select the current hour O Minute provides a list to select the current minute E Click Save to submit the date and time changes and to put the changes into immediate effect Note that changes to the date and time zone are unlike most changes they are not considered pending after submission E Timezone provides a list to select the region E Click Save to submit the time zone changes and to put the changes into immediate effect Note that changes to the date and time zone are unlike most changes they are not considered pending after submission Cluster Time NTP Servers form Use the Cluster Time NTP Servers form to specify the Network Time Protocol NTP servers see Cluster Time NTP Servers Figure 21 Cluster Time NTP Servers History Cluster gt Time gt NTP Servers x Oct 44 AM Logged as sdmin A NSF 5100 NTP Servers E System E NSF 5100 Ticker IP Address Action EY Cluster No NTP servers configured E Director s Ta NewnTPIP O E Current Time B H Logs E Wamings e Network B Firewall 9 Operation G4 Administration Gi Diagnostics Ni Oa xs NTP servers are used by the NTP client on the NSF to synchronize its clock The system should have access to at least three servers to compensate for discrepancies
33. non secure HTTP access to the BBI TIP The default is port 80 Status provides a list with two selections o Enabled enables HTTP web administration o Disabled disables HTTP web administration E HTTP SSL Settings Oo NORTEL 216383 D October 2005 Port provides an entry field to specify the port number for SSL secure HTTP web administration Status provides a list with two selections o Enabled enables SSL web administration o Disabled disables SSL web administration TLS provides a list with two selections o Enabled enables TLS protocol o Disabled disables TLS protocol SSL v2 provides a list with two selections o Enabled enables SSL v2 protocol o Disabled disables SSL v2 protocol SSL v3 provides a list with two selections o Enabled enables SSL v3 protocol o Disabled disables SSL v3 protocol Update submits the web changes to the pending configuration Browser Based Interface forms reference m 119 Nortel Switched Firewall Browser Based Interface Users Guide Administration Web Create Cert form The Administration Web Create Cert form provides a quick method to create a self signed certificate that allows the BBI to run under SSL see Administration Web Create Cert form TIP When the BBI is launched with HTTPS using this method users can expect warnings from the web browser that the Certificate Authority CA root certificate is not trusted Figure 87 Administration Web Create Cert form His
34. the port changes to the pending configuration E Back returns to the Network Ports form without submitting changes to the pending configuration Routes forms Following are the four main categories of forms in the Network Routes menu Static see Network Routes Static form E Proxy ARP see Network Routes Proxy ARP form on page 57 E Gateway see Network Routes Gateway form on page 58 E OSPF see Network Routes OSPF General form on page 59 Network Routes Static form Use the Network Routes Static form to view and configure static routes on the Firewall see Network Routes Static form Figure 29 Network Routes Static form Nortel History Network gt Routes gt Static z Oct 4 2005 8 11 19 AM Logged as sdmin A a Static Routes E System E NSF 5100 Ticker Destination IP Destination Mask Gateway IP Actions 1 Cluster No routes configured E Proxy ARP E Gateway H OSPF NORTEL 216383 D October 2005 54 Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Fields and buttons on the Network Routes Static form are as follows E Destination IP specifies the IP address of the route destination TIP Use dotted decimal notation E Destination Mask specifies the subnet mask for the route destination TIP Use dotted decimal notation Gateway IP specifies the IP address of the gateway TIP Use dotted decimal notation E Actions provides two choices which a
35. to specify the interface when configuring a new route E Enabled O Yes indicates that the interface is enabled O No indicates that the interface is disabled E Address specifies the IP address of the interface TIP Use the dotted decimal notation E Address2 specifies the second IP address of the interface TIP Address2 is used in an active active and active standby VRRP configuration E Vlan Id specifies the numerical ID for a VLAN on the interface Port associates the interface with a single port E VRRP specifies the Virtual Router ID and IP address of IP interfaces configured for high availability and active active TIP Use the virtual IP address to access the firewall with enhanced security E Actions provides the following two options NORTEL 216383 D October 2005 74 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Modify only visible if interfaces are present is used to modify a displayed interface see Network Interfaces Modify form on page 75 Delete only visible if interfaces are present is used to delete an interface from the system m Add New Interface adds a new interface to the configuration see Network Interfaces Add New Interface form on page 77 Network Interfaces Modify form Use the Network Interfaces Modify form to modify interfaces B System Figure 49 Network Interfaces Modify form History Network gt Interf
36. 005 Basics of the Browser Based Interface m 25 Nortel Switched Firewall Browser Based Interface Users Guide Diff The global Diff command displays the Pending Updates form Pending Updates provides a list of the pending configuration changes for the current session see Figure 9 Figure 9 Diff form oiod fno dit ioi Ci a History Network gt Ports x Oct 4 2005 7 27 32 AN Logged as admin j B PEEN Pending Updates y E NSF 5100 Ticker Change 1 Port 2 Cluster Update Port Name Old none New change Network Firewall 1 Operation D 1 Administration Diagnostics Ni ERT Ron KS The list displays a change record for each submitted update Each record can consist of many modifications depending upon the complexity of the form and changes submitted Modifications are color coded as follows E Green New items that will be added to the configuration when the global Apply command is given and verified E Blue Existing items that will be modified E Red Configuration items that will be deleted The Diff list is cleared when configuration changes are applied or reverted or when you log out or close the browser window NOTE The Diff form does not include pending changes made in other concurrent CLI or BBI sessions NORTEL 216383 D October 2005 26 m Basics of the Browser Based Interface Nortel Switched Firewall Browser Based Interface Users Guide Revert The global Revert command displays the
37. 38 APC UPS form 141 Audit form 142 Diagnostics forms 145 Logs form 145 Events form 147 Audit Log form 148 Maintenance forms 149 System Commands form 151 Debug forms 152 Wizards forms 154 Initial Configuration Wizard 155 Add Wizard forms 156 Configure Wizard forms 157 NORTEL 216383 D October 2005 Contents m 5 Nortel Switched Firewall Browser Based Interface Users Guide NORTEL 216383 D October 2005 6 m Contents Preface This Quick Guide describes the Nortel Switched Firewall Browser Based Interface BBI The components and features of the BBI can be used as an alternative to the Nortel Switched Firewall Command Line Interface CLI documented in the Nortel Switched Firewall 2 3 3 User 5 Guide and Command Reference 213455 L Who should use this book This Quick Guide is intended for network installers and system administrators engaged in configuring and maintaining a network Installers and administrators must be familiar with Ethernet concepts and IP addressing How this book is organized The chapters in this book are organized as follows Chapter 1 Introduction on page 11 describes how to enable and access the BBI Chapter 2 Basics of the Browser Based Interface on page 17 describes the BBI global commands the BBI page components and how to access the context sensitive online Help for referencing page fields buttons and labels Chapter 3 Browser Based Interface forms reference on page 33 describ
38. 83 D October 2005 18 m Basics of the Browser Based Interface Nortel Switched Firewall Browser Based Interface Users Guide Wizards menu shows the selections available on the Wizards menu tree Figure 5 Wizards menu CONFIG Wl ygi NSF 5100 a Add f2 Interface EB Bridge f GRE Tunnel Configure E Check Point Firewall B Routes Gateways E DHCP Relay B OSPF E Remote Access B Users N ORT E L Basics of the Browser Based Interface m 19 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide E NSF Config main menu tree Each of the selections on the Config main menu tree represents a page called a form which provides a method to monitor or configure the NSF see Figure 3 on page 17 and Figure 6 Figure 6 NSF Config main menu wil NSF 5100 g5 System E NSF 5100 Ticker HE Cluster HE Network eo Firewall HE Operation ai Administration H E Diagnostics MEIRTEL METWORKS Each main menu category offers subcategories providing a further level of control or detailed information Click the plus sign adjacent to a selection to expand it and reveal its associated subcategories For detailed information about the forms see Chapter 3 Browser Based Interface forms reference on page 33 M Warning display area The Warning display area provides important warnings for the user such as information about CLI users logged in or the s
39. Add New License Entry form History Firewall gt License Management z Oc AM Logged as admin A ie System Add Check Point Licenses E NSF 5100 Ticker 2 Cluster Network iAddress SS BS Firewall E Settings Current Licenses General Settings SimLicense Management E Installed License s E Synchronization Add New License E SMART Clients E SecurlD Expiration Date 9 Operation Feature String GS Administration A License String LO Diagnostics cp Expiration Features License The Firewall License Management Add New License Entry form is divided into three sections E General Settings E Current Licenses E Add New License Fields and buttons on the form are as follows E General IP Address provides an entry field to specify the host IP address associated with the new license E Current Licenses O Expiration provides an entry field to specify the Check Point License expiration date O Features provides an entry field to specify the Check Point License feature string O License provides an entry field to specify the Check Point License string oO Delete deletes the current license NORTEL 216383 D October 2005 92 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide E Add New Licenses Oo Expiration Date provides an entry field to specify the Check Point License expiration date Feature String provides an entry field to specify the C
40. Alarms Current alarms No current alarms NORTEL 17 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide E Main page tabs The two main page tabs are Wizards and Config see Figure 3 on page 17 O Wizards provides access to wizards that guide users through the processes of initial configuration interface and bridge addition Check Point Firewall configuration routes and gateway configuration DHCP Relay configuration and OSPF configura tion see Figure 4 and Figure 5 To use the wizards select Initial Configuration Add or Configure and follow the instructions on the page Click the plus sign adjacent to a selection to expand it and reveal its associated subcategories To see each of the initial Wizards pages see Chapter 3 Browser Based Interface forms ref erence O Config is the default tab for the BBI main page and provides access to all of the monitoring and configuration functions see Figure 6 on page 20 Figure 4 NSF Wizards main page History Initial Configuration x Va 05 AM Logged as admin A ent NSF Initial Configuration Wizard E tial Col ede Add NSF Initial Configuration Configure Would you like to start the NSF Initial Configuration Wizard This wizard will walk you through the various configuration steps G Start Initial Configuration Wizard NOTE oss Skip Initial Configuration Wizard Previous Wizard NORTEL 2163
41. Area Index adjacent to the button E Add New Area Index opens a form for configuring a new Area Index see Network Routes OSPF Area Indexes Add Area Index form on page 61 60 Browser Based Interface forms reference N RT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Network Routes OSPF Area Indexes Add New form Use the Network Routes OSPF Area Indexes Add New form to configure a new Area Index Figure 36 Network Routes OSPF Area Indexes Add Area Index form History Network gt Routes gt OSPF gt Area Indexes Oc AM Logged as sdmin E NSF 5100 Ticker General Settings 4 Cluster BS Network Identifier 1 B DNs Status disabled pa Ports Areatd 0000 format 10 10 1 75 I Routes Type transit z B Static E Proxy ARP cD c B Gateway OSPF E General rea Indexes B Interfaces B GRE Tunnels H Redistribute Fields and buttons on the Network Routes OSPF Area Indexes Add Area Index form are as follows E Identifier provides a list with a numbers in a range from to 16 Status provides a list with the following two selections O Enabled enables the area O Disabled disables the area E Area Id provides an entry field to set the OSPF area number TIP Use dotted decimal notation E Type provides a list with the following two selections to set the area type O transit O stub E Update submits the changes to the pending configuration E
42. EE Firewall H Operation B Administration Monitor Users B Access List E Telnet SSH 5 Web E General B Create Cert B Serer Certs a mee Fields and buttons on the Administration Web CA Certs form are as follows E Id provides an identifier for the certificate Issuer identifies the issuer of the certificate Subject provides the subject of the certificate Serial Number provides the serial number for the certificate Valid From provides the date the certificate becomes valid Valid To provides the date the certificate expires Actions provides the following two selections if a certificate is present O Delete a certificate from the system O Modify a selected certificate m Add New CA Certificate opens a form to add a new certificate see Administration Web CA Certs Add Server Certificate form on page 125 NORTEL 216383 D October 2005 124 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Administration Web CA Certs Add Server Certificate form Use the Administration Web CA Certs Add Server Certificate form to add a server certificate Figure 92 Administration Web CA Certs Add Server Certificate form History Administration gt Web gt CA Certs z Add CA Certificate B System E NSF 5100 Ticker P Cluster Please paste new certificate into the box below Ga Network S Firewall H Operation EY Administration Monitor amp Users HB Access Li
43. EVQ TjJL1xOl JI 6cRy6iFYxW1DyoaJMB A3 Firewall 9UZouKeD 19Mz0XrxLWGeK4wIgXjn2V1Plaxh12EZLL4i 4kHfYnjLgYBil0 Operation END SSH2 PUBLIC KEY Network S Administration Type RSAL Fingerprint 0 64 a0 81 37 36 35 0e d6 c1 19 62 79 08 e2 51 H Monitor 1024 35 15643977251743853887635260527493848252080585397004550316669264 042573623934737297742897032118335152073687922894664927652110845733876 0056154127145806281558297859917053446571600817851650191037024390010034 Access List 6140134588783496930853402363774025389422456408610993629136606316994395 Users Breen 1896706487176239291427244757134466287 Type DSA Fingerprint 33 12 16 7 8 00 11 86 d7 b1 4a bd a7 e7 29 9e BEGIN SSH2 PUBLIC KEY AAAAB3NZzaC1kc3MAAACBAMTduZtSJh9IYUGBfhhI ZSDwhTmcfKfwh AeNRnljLfiyEr70 utc3vDZUOWCQelHY kLB1CNHvIqwyCoqDBRAFMLQ Ivwigk arIDppCkbFQFiR wwClocY R 1lwARSUHGydYNiRxjbIREncBUuqdirUi 7B ykSLJq rRudMD AJAAAAFQCtx0mPJ17R53 iHBOdc9rUxn7N2gwAAAIAQWM9kXVEZxnNVAE21vdCrOhXDhwx0 lpoNIt11DMVP ql1lY4viv 3hCKRtzI7q Gscxe bvMBFD qEwb3ZGjiZjIleDY O4fRE2Iv209m1mK4228CvelAK3wP w RK6HES1pLeBomvAbC9 5RdjmkNW1 CTKUUES Gb01 9AkrqlvclJgAAAIBIE sHDZy3pZas Diagnostics Click Back to return to the Administration SSH keys form RADIUS form Use the Administration RADIUS form to configure RADIUS authentication for system users see Administration RADIUS form Figure 105 Administration RADIUS form Nortel G History Administration gt RAD
44. Figure 44 Network DHCP Relay Interfaces form Nortel History Network gt DHCP Relay gt Interfaces x A Syste E NSF 5100 Ticker IP Address DHCP Allowed Cluster 0 0 0 0 FPS Network 172 25 3 50 B ons 10 127 235 20 B Ports 0 0 0 0 HS Routes DHCP Relay General B fe Servers E Interfaces B Bridges E VRRP GRE Tunnels H Status Fields and buttons on the network DHCP Relay Interfaces form are as follows E Id provides the interface identifier m IP Address is the interface IP address E DHCP Allowed O Yes O No E Action provides the following option O Modify is used to change the selected DHCP Relay Interface see Network DHCP Relay Interfaces Modify form on page 71 70 Browser Based Interface forms reference N RT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Network DHCP Relay Interfaces Modify form Use the Network DHCP Relay Interfaces Modify form to modify a selected DHCP Relay Interface Figure 45 Network DHCP Relay Interfaces Modify form History Network gt DHCP Relay gt Interfaces z E System Modify DHCP Relay Interface E NSF 5100 Ticker Identifier 1 GQ Cluster IP Address 0 0 0 0 Ey Network DHCP Requests disabled x H DNs E Ports TD CE H Routes DHCP Relay B General D Gere E Servers E Interfaces E Bridges H VRRP E GRE Tunnels a Status Fields and buttons on the Network DHCP Relay Interfaces Modify form are as fo
45. Firewall Check Point VPN 1 TM amp FireWall 1 R NGX R60 Build 458 9 Operation B Administration Monitor B Director s H Alarms B Syslog E APC UPS Status E GUI Lock B CL Logins amp mm Fields and buttons on the Administration Monitor About form are as follows E Product provides the model number of the cluster that is connected to the BBI Version provides the software version running on the cluster E Firewall provides the Check Point software build and feature pack running on the cluster NORTEL 216383 D October 2005 Browser Based Interface forms reference m 109 Nortel Switched Firewall Browser Based Interface Users Guide 110 m Browser Based Interface forms reference Users forms Administration Users provides the following two categories of forms E General see Administration Users General form E SSH Users see Administration Users SSH Users form on page 113 Administration Users General form Use the Administration Users General form to add modify delete or list Firewall user accounts and change passwords see Administration Users General form Figure 78 Administration Users General form WOvonorB Frm 1 idat 5 ae Switched Firewall History Administration gt Users gt General z 4 2 AM Logged as sdmin A a j System Administration Users E NSF 5100 Ticker Username Group s Actions E Cluster oper oper B Network root root B Firewall admin admin oper EQ Operation F Ad
46. GUI Lock E CLI Logins eG E About The Administration Monitor Syslog form is divided into the following two sections E Log Details E Syslog Details Fields and buttons on the form are as follows Log Details E Log ID provides a list containing names of existing log IDs Expand provides the log details for the selected Log ID Syslog Details E Host IP provides a list of Firewall IP addresses that have logs E Search String provides an entry field to specify a string to search for the message body TIP All messages with a substring matching the characters in this field are displayed if Search is selected E Quick Choice is a list that provides a list of predefined basic search strings as follows O All critical messages CRITICAL O All error messages ERROR NORTEL 216383 D October 2005 Browser Based Interface forms reference m 105 Nortel Switched Firewall Browser Based Interface Users Guide 106 Browser Based Interface forms reference O All info messages INFO O All notice messages NOTICE O All warning messages WARNING E Messages Per Page provides the maximum number of messages displayed for each request Case Sensitive provides a check box to select or deselect case sensitivity in the search E Search executes the log search using the defined parameters TIP When the search is complete a list of messages matching the search criterion appears at the bottom of the form Administration Monito
47. IUS M Logged as sdmin A A RADIUS Authentication B System E NSF 5100 Ticker General Cluster Network Status disabled B Firewall Timeout 10 seconds E Operation Fallback enabled z Sy Administration Monitor C H Users B Access List RADIUS Servers E Telnet SSH IP Address Port Actions Web No authentication servers configured SNMP E SSH Keys 5 B APC UPS Audit NORTEL 216383 D October 2005 138 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide The Administration RADIUS form is divided into the following two sections E General E RADIUS Servers Fields and buttons on the form are as follows E General O Status provides a list with the following two selections o Enabled enables RADIUS authentication of system users o Disabled disables RADIUS authentication of system users TIP Disabled is the default setting O Timeout provides an entry field to specify a timeout value in seconds for a connection request toa RADIUS server TIP The default timeout value is 10 seconds O Fallback specifies the desired fallback mode and provides a list with the following two selections o Enabled specifies that local passwords are used as fallback if the RADIUS servers are unreachable TIP Enabled is the default parameter o Disabled fallback mode specifies that local passwords cannot be used as fallback if the RADIUS servers ar
48. List RADIUS Servers E Telnet SSH IP Address Port Actions Web No auditing servers configured HS SNMP SSH Keys Add New Auditing Server RADIUS B APC UPS The Administration Audit form is divided into the following two sections E General E RADIUS Servers Fields and buttons on the form are as follows E General O Status provides a list with the following selections o Enabled permits the CLI login logout and update events to be sent to the event log any configured syslog servers and to a RADIUS audit server o Disabled disables auditing O Vendor Id provides an entry field to specify the SMI Network Management Private Enterprise Code TIP The default is 1872 Alteon NSF O Vendor Type provides an entry field to specify a number representing the vendor type attribute used in RADIUS TIP The default vendor type value is 2 O Update submits the changes to the pending configuration 142 m Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide E RADIUS Servers O IP Address provides the address of a configured RADIUS server or an entry field to change or specify the IP Address of a RADIUS server O Port provides the TCP port number or an entry field to change or specify the TCP port number O Actions provides the following two options o Delete deletes a selected RADIUS server o Modify opens a form to modify the selected RADIUS
49. ORTEL 216383 D October 2005 160 Browser Based Interface forms reference
50. OSPF Redistribute form Logged as simin P iy OSPF Redistribute Settings E System NSF 5100 Ticker OSPF Redistribution Enabled Metric Metric Type Cluster Connected No 10 t1 Ea Network Static No 10 t1 B DNs Default Gateway No 10 ti Not applicable B Ports YY Routes E Static E Proxy ARP E Gateway Ey OSPF B General B Area Indexes B Interfaces E GRE Tunnels Fields and buttons on the Network Routes OSPF Redistribute form are as follows E OSPF Redistribution displays the following three settings O Connected O Static O Default Gateway E Enabled O Yes indicates that the setting is enabled O No indicates that the setting is disabled Metric is the numeric value used by OSPF for all redistributed routes Metric Type is the OSPF exterior metric type for redistributed routes RMAP is the OSPF Connected Redistribute RMAP number Action provides the following selection O Modify provides a form to modify the connected route redistribution see Network Routes OSPF Redistribute Modify form on page 68 NORTEL 216383 D October 2005 Browser Based Interface forms reference m 67 Nortel Switched Firewall Browser Based Interface Users Guide Network Routes OSPF Redistribute Modify form Use the Network Routes OSPF Redistribute Modify form to modify the connected route redistribution Figure 42 Network Routes OSPF Redistribute Modify form Klina Switched Firewall History Network gt Routes gt OSPF gt Redistribut
51. P The dead value is typically four times the value of hello This value must be the same on all routing devices within the same area E Transmit provides a list to set the transmit delay in seconds TIP This value must be the same on all routing devices within the area E Retransmit provides a list to set the time interval in seconds between each transmission of LSAs to adjacencies on this GRE Tunnel TIP This value must be the same on all routing devices within the area E Authentication provides a list to set the authentication type E Key provides an entry field to specify the password to be used for OSPF authentication TIP Specify a type 1 plain text password of up to 16 characters E MDS Auth Key provides an entry field to set the password to be used for OSPF authentication TIP Specify a password of up to 16 characters E Update submits the OSPF GRE changes to the pending configuration and returns to the Network Routes OSPF GRE form E Back returns to the Network Routes OSPF GRE Tunnels page without submitting the OSPF GRE settings to the pending configuration NORTEL 216383 D October 2005 66 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Network Routes OSPF Redistribute form Use the Network Routes OSPF Redistribute form to display and modify the OSPF Redistribution settings see Network Routes OSPF Redistribute form Figure 41 Network Routes
52. Request E NSF 5100 Ticker Cluster Common Name E j S Network Two Letter Country Code e Firewall Key Size 52 E EQ Operation 3 Administration Gis Ga amp Monitor Users B Access List E Telnet SSH aS Web E General E Create Cert Server Certs Fields and buttons on the Administration Web Server Certs Generate Certificate Request form are as follows E Common Name provides an entry field to specify the common name to be used with the certificate Two Letter Country Code provides an entry field to specify the country code E Key Size provides a list to specify the size either 512 1024 or 2048 of the encryption key E Submit submits the self signed certificate data to the pending configuration E Back returns to the Administration Web Server Certs form without submitting changes to the pending configuration NORTEL 216383 D October 2005 Browser Based Interface forms reference m 123 Nortel Switched Firewall Browser Based Interface Users Guide Administration Web CA Certs form Use the Administration Web CA Certs form to administer Certificate Authority CA certificates on the Firewall see Administration Web CA Certs form CA certificates are required if server certificates from an external CA are used Figure 91 Administration Web CA Certs form CA Certificates E NSF 5100 Ticker Id Issuer Subject Serial Number Valid From Valid To Actions Cluster No CA certificates entered Ga Network
53. UPS monitor O Disabled disables the UPS monitor E UPS Type provides a list to set the UPS type from the following selections O usb USB port O snmp Ethernet through SNMP E SNMP Host provides an entry field to specify the SNMP Host IP address for connection TIP Use dotted decimal notation E SNMP Port provides an entry field to specify the SNMP port for connection E SNMP Community provides an entry field to set the SNMP community for connection E Battery Level provides a list to specify the battery level in percentage below which the Firewall shuts down The list represents a range from 0 to 100 percent E Master IP Address provides an entry field to specify the UPS Master IP address TIP Use dotted decimal notation NORTEL 216383 D October 2005 Browser Based Interface forms reference m 141 Nortel Switched Firewall Browser Based Interface Users Guide E Update submits the UPS Monitor changes to the pending configuration Audit form Use the Administration Audit form to configure a RADIUS server to receive log messages about commands executed in the CLI see Administration Audit form Figure 108 Administration Audit form O ee Switched Firewall History Administration gt Audit bd E System E NSF 5100 Ticker Cluster Network Status disabled z Firewall Vendor Id 1872 integer 1872 maps to Alteon General PE Operation Vendor Type ze F Administration a Monitor CED Users B Access
54. access the NSF BBI 15 Logging in 15 Loading the main page 16 Chapter 2 Basics of the Browser Based Interface 17 Interface components 17 NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Basic operation 22 Pending change exceptions 22 Lost changes 22 Creating a configuration 23 Viewing pending changes 23 Clearing pending changes 23 Submitting changes 23 Global command forms 24 Apply Changes 24 Diff 26 Revert 27 Logout 28 Help 29 Context sensitive Help 29 Task based Help 30 Chapter 3 Browser Based Interface forms reference 33 BBI main menu selections 33 System form 34 NSF 5100 Ticker form 34 Cluster forms 38 Director s form 38 Time forms 40 Logs forms 42 Warnings form 49 Network forms 50 DNS form 51 Ports form 52 Routes forms 54 Network Routes OSPF forms 59 DHCP Relay forms 69 Interfaces form 74 Bridges form 78 VRRP form 80 GRE Tunnels form 82 Status forms 85 Firewall forms 89 Settings form 89 NORTEL 216383 D October 2005 4 m Contents Nortel Switched Firewall Browser Based Interface Users Guide License Management form 91 Installed License s form 93 Synchronization form 94 SMART Clients form 95 SecurID form 96 Operation forms 97 Director s form 97 Configuration form 98 Image Update forms 99 Administration forms 102 Monitor forms 102 Users forms 110 Access List form 115 Telnet SSH form 117 Web forms 118 SNMP forms 126 SSH Keys form 135 RADIUS form 1
55. ace Users Guide Administration forms The Administration forms provide access to administering and monitoring aspects of the Firewall such as user information web settings and SNMP activity The Administration forms menu includes the following categories of forms Monitor see Monitor forms Users see Users forms on page 110 Access List see Access List form on page 115 Telnet SSH see Telnet SSH form on page 117 Web see Web forms on page 118 SNMP see SNMP forms on page 126 SSH Keys see SSH Keys form on page 135 RADIUS see RADIUS form on page 138 APC UPS see APC UPS form on page 141 Audit see Audit form on page 142 Monitor forms Administration Monitor provides the following seven forms for monitoring aspects of Firewall health and operation 102 Browser Based Interface forms reference Director s see Administration Monitor Director s form on page 103 Alarms see Administration Monitor Alarms form on page 104 Syslog see Administration Monitor Syslog form on page 105 APC UPS Status see Administration Monitor APC UPS Status form on page 106 GUI Lock see Administration Monitor GUI Lock form on page 107 CLI Logins see Administration Monitor CLI Logins form on page 108 About see Administration Monitor About form on page 109 NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Administration Monitor Director s form The Administration Monitor Direc
56. aces E NSF 5100 Ticker General Settings Cluster E Network H ONS H Ports Identifier 1 amp Status disabled z Management disabled z ae ss IP Address1 0 0 0 0 format 10 10 1 75 DHCP Relay IP Address2 0 0 0 0 format 10 10 1 76 H Bridges Subnet Mask 0 0 0 0 H VRRP Vian Id o z H GRE Tunnels nurs fal B Status e Firewall Vrrp Settings EQ Operation Ga Administration Ip1 0 0 0 0 format 10 10 1 73 1 Diagnostics Ip2 0 0 0 0 format 10 10 1 74 Vrid 1 z T E Fields and buttons on the Network Interfaces Modify form are as follows E General Settings Oo oO oO oO NORTEL 216383 D October 2005 Identifier provides a list to select a numerical ID between and 255 for the interface Status provides a list to enable or disable the interface operation Management provides a list to enable or disable management through the interface IP Address 1 provides an entry field to specify the IP address for the interface of the Firewall host 1 IP Address 2 provides an entry field to specify the IP address for the interface of the Firewall host 2 Browser Based Interface forms reference m 75 Nortel Switched Firewall Browser Based Interface Users Guide O Subnet Mask provides an entry field to specify the subnet mask of the interface Vlan Id provides a list to select the numerical ID between 0 and 4094 for the VLAN Port provides a list to select a port numb
57. all Browser Based Interface Users Guide Features provides the Check Point license features Synchronization form Use the Firewall Synchronization form to display the cluster synchronization status and enable or disable cluster synchronization see Firewall Synchronization form Figure 64 Firewall Synchronization form History Firewall gt Synchronization z Firewall Synchronization E System NSF 5100 Ticker a Status disabled H Cluster A Network EY Firewall E Settings E License Management E Installed License s B Synchronization E SMART Clients E SecurlD NOTE Firewall synchronization provides for stateful failover of open sessions when a master is backed up by the backup master Fields and buttons on the Firewall Synchronization form are as follows E Status displays a list providing two selections O Enabled indicates that cluster synchronization is enabled O Disabled indicates that cluster synchronization is disabled E Save Settings submits the changes to the pending configuration NORTEL 216383 D October 2005 94 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide SMART Clients form The Firewall SMART Clients form displays and allows modification to SMART Clients addresses This form also provides a field to add a new SMART Client see Firewall SMART Clients form Figure 65 Firewall SMART Clients form m ioli d inon
58. an Id fo Port hal Vrrp Settings Ip1 0 0 0 0 format 10 10 1 73 Ip2 0 0 0 0 format 10 10 1 74 Vrid 1 7 TE CE Fields and buttons on the Network Interfaces Add New Interface form are as follows E General Settings O Identifier provides a list to select a numerical ID between and 255 for the interface O Status provides a list to enable or disable the interface operation O Management provides a list to enable of disable management through the interface oO IP Address provides an entry field to specify the IP address for the interface of the Firewall host 1 O IP Address 2 provides an entry field to specify the IP address for the interface of the Firewall host 2 O Subnet Mask provides an entry field to specify the subnet mask of the interface O Vian Id provides a list to select the numerical ID between 0 and 4094 for the VLAN O Port provides a list to select a port number to associate with the interface ID number E VRRP Settings O Ipl provides an entry field to specify the first virtual IP address of the interface NORTEL 216383 D October 2005 Browser Based Interface forms reference m 77 Nortel Switched Firewall Browser Based Interface Users Guide O Ip2 provides an entry field to specify the second virtual IP address for the interface applied for VRRP Active Active O Vrid provides a list to select a numerical ID between 1 and 255 for the virtual router E Update submits the chang
59. ance G9 System Commands Fields and buttons on the Diagnostics Debug OSPF form are as follows E Routing OSPF Debug displays the following OSPF debugging options O Generic Events turns on debugging for OSPF events O ISM Events turns on debugging for the interface state machine O LSA Events turns on debugging for link state advertisements Oo NSM Events turns on debugging for the neighbor state machine NORTEL 216383 D October 2005 152 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide O Packets turns on debugging for OSPF packets E Enabled displays the following OSPF Debug operational settings O Yes indicates OSPF Debug is enabled O No indicates OSPF Debug is disabled E Action displays a form used to modify a displayed OSPF Debug option O Modify displays a form to modify an OSPF debug option see Diagnostics Debug OSPF Modify form Diagnostics Debug OSPF Modify form Use the Diagnostics Debug OSPF Modify form to enable or disable logging of OSPF generic events Figure 117 Diagnostics Debug OSPF Modify form ia Switched Firewall History Diagnostics gt Debug gt OSPF ind Status disabled z T G3 Administration B Diagnostics E Logs E Events E Audit Log E Tech Support Dump Maintenance H System Commands EY Debug a Fields and buttons on the Diagnostics Debug OSPF Modify form are as follows Status provides a list to select enabled or
60. aunch on the NSF 5100 Ticker Launch form to launch the Ticker report Use the Ticker report form to view the statistics provided by the Ticker NORTEL 216383 D October 2005 Browser Based Interface forms reference m 35 Nortel Switched Firewall Browser Based Interface Users Guide The NSF 5100 Ticker report form displays three tabs see NSF 5100 Ticker results form Figure 16 NSF 5100 Ticker results form Qusr51001012723520 o _ Cluster Information Status Information CPU Load Memory Hard Disk Throughput In Throughput Out Total Sessions Sessions sec Jis Hg Be a s E 1 8KBps 4 2 49KBps i 7 ey o Fic r Director s View 10 10 1 1 Security Settings HTTP On A Insecure HTTPS Off Telnet On A Insecure SSH Off SNMP 2c A Insecure Current Alarm ers p S 242 10 10 14 critical CPU temperature El j Tabs on the NSF 5100 Ticker results form are as follows E Cluster information E Properties E About The Cluster Information page displays the statistics and graphs for the Firewall see NSF 5100 Ticker results form 36 m Browser Based Interface forms reference NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide The Properties page displays properties for NSF 5100 Ticker parameters see NSF 5100 Ticker Properties form Figure 17 NSF 5100 Ticker Properties form mixi
61. authentication servers It also determines whether the NSF can connect to web servers specified in group links O Nodes provides a list with two selections o all isds performs configuration checks from all hosts o one isd performs configuration checks from local host O Configuration Items provides a list of available configuration items You can select items from the list or if selected remove items from the selected list O Click Check Configuration to check the applied configuration The configuration information appears in the Applied Configuration display area NORTEL 216383 D October 2005 Browser Based Interface forms reference m 149 Nortel Switched Firewall Browser Based Interface Users Guide E Applied Configuration displays configuration information Diagnostics Maintenance Check Point Logs form Use the Diagnostics Maintenance Check Point Logs form to provide Check Point Log file information collected from NSF devices to the local system for technical support purposes see Diagnostics Maintenance Check Point Logs form Figure 114 Diagnostics Maintenance Check Point Logs form ane Switched Firewall History Diagnostics gt Maintenance gt Check Point Lox z Oct 4 2005 10 50 36 AM Logged as admin E System E NSF 5100 Ticker Cluster Ra Name e g cplog tgz os ee Came 1 Firewall EQ Operation GQ Administration EY Diagnostics B Logs B Events E Audit Log B Tech Support Dump B Maintenanc
62. ayed NORTEL 216383 D October 2005 146 Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Events form The Diagnostics Events form displays the contents of the event log file see Diagnostics Events form Figure 111 Diagnostics Events form Mood frv0 rds 2 ae Switched Firewall History Diagnostics gt Events Oct 44 56 Al Logged as sdmin B System m nase Pore Firewall Director 10 1011 gt E Network Firewall 1 Operation Begin I optional CC YY MM JDD HH MM 55 G4 Administration 5 Diagnostics Time Frame End optional CC YY MM JDD L HH MM 55 a bogs amre Audit Log critical alarm 2 Tue 2005 09 27 15 37 28 0700 CPU Temp Critical 10 10 1 1 CPU temperature on host Tech Support Dump critical alarm 3 Tue 2005 09 27 15 37 29 0700 Motherboard Temp Critical 10 10 1 1 Motherboard tem event Tue 2005 09 27 15 37 34 0700 clear_alarm 1 H Maintenance System Commands H Debug Fields and buttons on the Diagnostics Events form are as follows E Firewall Director provides a list containing the IP addresses of the Firewall Directors Refresh displays the details of the selected Firewall Director E Time Frame provides two entry fields for setting the time filters for displaying event information O Begin provides an entry field for setting the begin time filter O End provides an
63. certificates on the host E Administration of Certificate Authority CA certificates The four main categories of Administration Web forms are E General see Administration Web General form Create Cert see Administration Web Create Cert form on page 120 Server Certs see Administration Web Server Certs form on page 121 E CA Certs see Administration Web CA Certs form on page 124 Administration Web General form The Administration Web General form enables web administration see Administration Web General form Figure 86 Administration Web General form r Oia Switched Firewall History Administration gt Web gt General z B System k ies E NSF 5100 Ticker HTTP Settings a Cluster GS Network Firewall Status enabled z I Operation B Administration HTTP SSL Settings it ola por pa Users B Access List Status disabled B Telnet SSH aS Web mis enabled S SSL v2 enabled E Create Cert ssl v2 enabled Server Certs E CA Cers SNMP Update NORTEL 216383 D October 2005 118 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide The Administration Web General form is divided into the following two sections for web settings E HTTP Settings E HTTP SSL Settings Fields and buttons on the form are as follows E HTTP Settings Oo Oo Port provides an entry field to specify the port number for
64. cker Id Enabled Area Index Action e Cluster No GRE Tunnels configured a Network H ons E Ports oS Routes E Static E Proxy ARP E Gateway B OSPF 5 General B Area Indexes B Interfaces 5 E Redistribute Fields and buttons on the Network Routes OSPF GRE Tunnels form are as follows E Id provides the numerical ID for the GRE tunnel E Enabled provides the status of the GRE tunnel NORTEL 216383 D October 2005 64 m Browser Based Interface forms reference NORTEL Nortel Switched Firewall Browser Based Interface Users Guide E Area Index sets the OSPF area index to attach to the network for the current GRE Tunnel E Action provides the following two options O Delete deletes a selected GRE tunnel O Modify provides a form to modify a selected GRE tunnel see Network Routes OSPF GRE Tunnels Modify form Network Routes OSPF GRE Tunnels Modify form Use the Network Routes OSPF GRE Tunnels Modify form to modify GRE tunnel settings Figure 40 Network Routes OSPF GRE Tunnels Modify form ee Switched Firewall Logged as admin EW Modify GRE Tunnel Cluster General Settings SS Network B DNs Identifier 1 Transmit E Ports Status enabled A Retransmit 5 x a9 Routes Area Index 1 _ Authentication none x E Static Priority No om S yi one E B Proxy ARP eye Cost 1 1 65535 0 H Gateway none Ds auth Key bS OSPF cost2 2 65535 B General Hello ca
65. d Add Bridge B Interface Briod Please select a bridge number fi z amp Configure Enter an IP address 1 for the bridge Joooo Enter an IP address 2 for the bridge pooo Enter the subnet mask for the bridge 0 0 0 0 Enable or disable the bridge disabled z NORTEL RTE ens 156 Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Add GRE Tunnel Use the Add GRE Tunnel wizard to add a GRE tunnel to the configuration see Add GRE Tunnel Wizard form Figure 122 Add GRE Tunnel Wizard form MiaioiBinardr8 iB foioio Be Switched Firewall sly pif B Revert Logout T _CONFIG History Add gt GRE Tunnel z Add GRE Tunnel Select an existing GRE Tunnel that you wish to modify or select a new GRE Tunnel number to configure the new one DE Please select an existing GRE Tunnel to modify No GRE Tunnel s configured E amp I Configure Please select a GRE Tunnel number to configure new GRE Tunnel 1 z Check Point Firewall set Enter a descriptive name Routes Gateways DHCP Relay Select the physical interface number 1 z OSPF Enter the remote IP address 0 0 0 0 Remote Access Please select if the GRE Tunnel should be enabled or disabled disabled al DDR Back Configure Wizard forms Use the Configure forms to perform system configurations Check Point Firewal
66. d tempersture on host 10 10 11 bacon EEEE 4 NSF 5100 Ticker form NSF 5100 Ticker provides a real time view of the following Firewall status and statistic information E status of firewall directors and accelerators E alarms color coded for status statistics for the following parameters O CPU use 00n 0 o memory use disk use session statistics plotted as a graph throughput statistics plotted as a graph 34 m Browser Based Interface forms reference N RT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide H status of the following remote accesses O OF 0 OQ Oo HTTP HTTPS Telnet SSH SNMP Use the NSF 5100 Ticker launch form to launch the Ticker TIP The Ticker cannot launch if pop up blockers are enabled see NSF 5100 Ticker launch form NoTE Java 2 Runtime Environment SE plug in version 1 2 4 01 or higher is required When yo u launch the Ticker if the Java plug in is not present the Ticker downloads it from the java sun com web site If the system is not connected to the Internet an error message appears in the Ticker window Figure 15 NSF 5100 Ticker launch form Nortel Switched Firewall Network Firewall H Operation History NSF 5100 Ticker NSF 5100 Ticker Launch NSF 5100 Ticker Warning NSF 5100 Ticker will not launch if Popup blockers are enabled Administration amp Diagnostics Click L
67. disabled for logging of OSPF generic events H Update submits the change to the pending configuration E Back returns to the Diagnostics Debug OSPF form without submitting changes to the pending configuration NORTEL 216383 D October 2005 Browser Based Interface forms reference m 153 Nortel Switched Firewall Browser Based Interface Users Guide Wizards forms The Wizards guide the user through configuration processes The Wizards tab on the NSF BBI main page provides the following selections see Wizards main menu E Initial Configuration see Initial Configuration Wizard on page 155 E Add see Add Wizard forms on page 156 O Interface O Bridge O GRE Tunnel E Configure see Configure Wizard forms on page 157 Oo OF O O0 Oo Check Point Firewall Routes Gateways DHCP Relay OSPF Remote Access Users Figure 118 Wizards main menu CONFIG ygi NSF 5100 ag Add E Interface B Bridge er GRE Tunnel Configure E Check Point Firewall p Routes Gateways E DHCP Relay B OSPF EB Remote Access f2F Users 154 m Browser Based Interface forms reference NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide The figures in this section represent the first page of each NSF BBI Wizard Initial Configuration Wizard Use the Initial Configuration wizard to configure a working NSF environment see Initial Configuration Wizard form
68. dministration SSH Keys Import SSH Key form Figure 103 Administration SSH Keys Import SSH Key form Nortel Switched Firewall B System NSF 5100 Ticker Cluster Ga Network IPaddess Firewall E Operation FS Administration Monitor ED G3 a Users B Access List E Telnet SSH H Web amp SNMP 0 See New SSH Key Warning SSH key will be added immediately to the database No apply is required B RADIUS B APC UPS E Audit Fields and buttons on the Administration SSH Keys Import SSH Key form are as follows m IP Address provides an entry field to specify the IP address of the Firewall E Click Save to apply the changes without sending them to the pending configuration Click Back to return to the Administration SSH Keys form without submitting changes to the pending configuration NORTEL Browser Based Interface forms reference m 137 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Administration SSH Keys Show SSH keys form Use the Administration SSH Keys Show SSH keys form to view resident SSH key information see Administration SSH Keys Show SSH keys form Figure 104 Administration SSH Keys Show SSH keys form NSF 5100 System NSF S100 Tear Type RSA Fingerprint 7e ca 2a 73 14 fa dbreb b4 02 2f 2f d0 4e e4 74 Cluster BEGIN SSH2 PUBLIC KEY ARAAB3NzaClyc2EAAAABIWAAAIEAn4VfyfBRz8MtH7QJrBAVcP k CiqWp amp sowfBonrFuz OTSMIOFpQpyUw3gPEj gExj TTGwPaShDRDRQD
69. ds and buttons on the Administration SNMP Trap Hosts Add Trap Host form are as follows E IP Address provides an entry field to specify the IP address of the trap host E Port provides an entry field to specify the port to send the trap TIP The SNMP default port is 162 E Community String v2c provides an entry field to specify the community string for the trap host E Trap user v3 provides an entry field to specify the user employed for trap authentication E Update submits new SNMP User Name information to the pending configuration Back returns to the Administration SNMP Trap Hosts form without submitting changes to the pending configuration 130 m Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Administration SNMP USM Users form Use the Administration SNMP USM Users form to administer USM users employed in SNMP v3 usm authentication and encryption see Administration SNMP USM Users form Figure 97 Administration SNMP USM Users form as Switched Firewall fl System E NSF 5100 Ticker E Cluster Ga Network 1 Firewall GEESE 9 Operation a Administration Monitor Users B Access List E Telnet SSH am Web SNMP Username Permission Actions No SNMP users configured General System Trap Hosts MIBs Advanced 5 B B S Fields and buttons on the Administration SNMP USM Users form are as follows
70. e Configuration and monitoring functions similar to those available through the Command Line Interface CLI Access using HTTP or secure HTTPS using Secure Socket Layer SSL No installation required the BBI is part of the Firewall OS software Upgrades with future software releases as available Runs up to ten BBI sessions simultaneously Online context sensitive Help for each BBI page Online task based Help for a variety of common procedures from each BBI page 11 Nortel Switched Firewall Browser Based Interface Users Guide Getting started Requirements Following are the requirements to enable the BBI E An installed Nortel Switched Firewall E A Check Point policy to allow management station access for HTTP or HTTPS traffic E A PC or workstation with network access to the Firewall host IP address m A Frame capable web browser software such as the following O Netscape Navigator 4 6 or higher O Internet Explorer 5 5 or higher E JavaScript enabled in your web browser E Java 2 Runtime Environment SE plug in version 1 2 4 01 or higher NOTE JavaScript is different from Java Ensure that JavaScript is enabled in your web browser Enabling the BBI Before you can access the BBI you must perform some configuration at the CLI For information about accessing and using the CLI see the Nortel Switched Firewall 2 3 3 User 5 Guide and Command Reference 213455 L CLI configuration tasks Following are the
71. e 5 Check Configuration B ammer System Commands e Debug Fields and buttons on the Diagnostics Maintenance Check Point Logs form are as follows E File Name provides an entry field for the file name used to store the uploaded information E To dump the Check Point logs to the specified location click Dump Check Point Logs 150 Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide System Commands form Use the Diagnostics System Commands System Commands form to execute Check Point system commands normally entered in a command window see Diagnostics System Commands System Commands form Figure 115 Diagnostics System Commands System Commands form Oss Switched Firewall ip History Diagnostics gt System Commands gt System C x Oct 4 21 4 AM Logged as sdmin A Pa fal System Execute System Command f NSF 5100 Tick elisi diki Host IP 10 10 1 1 7 uster HG Network Command Check Point connection table size fw tab t connections 1 Firewall CID 1 Operation a Administration Result Sy Diagnostics E Logs E Events E Audit Log E Tech Support Dump Maintenance System Commands SES ystem Commands Fields and buttons on the Diagnostics System Commands System Commands form are as follows mE Host IP provides a list of host IP addresses E Command provides a list of the following Check Point commands O Chec
72. e Operation Image Update Packages form E Patches see Operation Image Update Patches form on page 101 Operation Image Update Packages form Use the Operation Image Update Packages form to obtain information about software running on the firewall and to update the NSF software from the browser see Operation Image Update Packages form Figure 69 Operation Image Update Packages form z Manini Adi Nortel Apply Eo ED Revert IEEE uelp tices ITIL j B System Installed Packages E NSF 5100 Ticker Version Name Status Actions B Cluster 2 3 3 0_R60 tdo permanent GS Network 2 3 0 26_R55 tdo old G9 Firewall 9 Operation Upload New Package Director s E Configuration File Browse EJ Image Update S EAEE Submit Patches Warning Upload time depends upon the speed of the Internet connection Slow connections may take 1 Administration many minutes Diagnostics The Operation Image Update Packages form is divided into the following two sections E Installed Packages E Upload New Package NORTEL 216383 D October 2005 Browser Based Interface forms reference m 99 Nortel Switched Firewall Browser Based Interface Users Guide Fields and buttons on the Operation Image Update Packages form are as follows E Installed Packages O Version provides the NSF software version running on the cluster O Name provides the name of the software package O Status indicates software package status as follows
73. e cost of output routes for first Firewall host Cost 2 provides an entry field to set the cost of output routes for the second Firewall host Hello provides an entry field to set the hello interval in seconds Dead provides an entry field to set the router dead interval in seconds Transmit provides a list to set the transmit delay in seconds Retransmit provides a list to set the time interval in seconds NORTEL 216383 D October 2005 Browser Based Interface forms reference m 63 Nortel Switched Firewall Browser Based Interface Users Guide E Authentication provides a list to set the authentication type for the interface with the following selections O None O Password o MD5 E Key provides an entry field to set the password used for OSPF authentication when the authentication options is set to password E MDS Auth Key provides an entry field to set the password used for OSPF authentication when the authentication options is set to MDS E Update submits the changes to the pending configuration E Back returns to the Network Routes OSPF Interfaces without submitting the changes to the pending configuration Network Routes OSPF GRE Tunnels form Use the Network Routes OSPF GRE Tunnels form to display and change the GRE tunnels see Network Routes OSPF GRE Tunnels form Figure 39 Network Routes OSPF GRE Tunnels form History Network gt Routes gt OSPF gt GRE Tunnels z E System OSPF GRE Tunnels NSF 5100 Ti
74. e the Administration Web Server Certs Add Server Certificate form to add a server certificate Figure 89 Administration Web Server Certs Add Server Certificate form History Administration gt Web gt Server Certs z Oct 9 AM Logged as admin Add Server Certificate E NSF 5100 Ticker Identifier 1 G4 Cluster Ga Network 2G Firewall 9 Operation Ey Administration a Monitor H Users E Access List E Telnet SSH oS Web E General E Create Cert D Sees E CA Certs amp SNMP Please paste new certificate into the box below Fields and buttons on the Administration Web Server Certs Add Server Certificate form are as follows E Identifier provides the assigned number of the certificate issuer E Update submits the certificate information to the pending configuration E Back returns to the Administration Web Server Certs page without submitting changes to the pending configuration 122 m Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Administration Web Server Certs Generate Certificate Request form Use the Administration Web Server Certs Generate Certificate Request form to generate a certificate request see Administration Web Server Certs Generate Certificate Request form Figure 90 Administration Web Server Certs Generate Certificate Request form er v Log Logged as sdmin A A B System Generate Certificate
75. e unreachable O Update submits the settings to the pending configuration E RADIUS Servers O IP Address specifies the IP address of the RADIUS server O Port specifies the TCP port of the RADIUS server O Actions o Modify provides a form for modifying the selected RADIUS server o Delete deletes the selected RADIUS server O Add New Server provides a form for adding a new RADIUS server see Administration RADIUS Add RADIUS Authentication Server form on page 140 NORTEL 216383 D October 2005 Browser Based Interface forms reference m 139 Nortel Switched Firewall Browser Based Interface Users Guide Administration RADIUS Add RADIUS Authentication Server form Use the Administration RADIUS Add RADIUS Authentication Server form to add a RADIUS Authentication server Figure 106 Administration RADIUS Add RADIUS Authentication Server form eta Switched Firewall History Administration gt RADIUS z system Add RADIUS Authentication Server E NSF 5100 Ticker P Addi 10 0 0 a Cluster 3 i o Ga Network Rare 1812 Firewall Shared Secret HE Operation Shared Secret again EY Administration S Monitor C D Users B Access List EB Telnet SSH H Web H SNMP B SSH Keys Mls B APC UPS Audit Fields and buttons on the Administration RADIUS Add RADIUS Authentication Server form are as follows m IP Address provides an entry field to specify the IP address of the RADIUS server E Port provides an entry
76. e z i NSF 5100 OSPF Redistribute Setti B System E NSF 5100 Ticker Connected Route Redistribution Cluster EY Network Status disabled gt B Dns Metric 10 1 16777214 0 none E Ports Metric Type pA ES Routes RMAP o E Static 1 10 0 none fe Proxy ARP c a E Gateway Ey OSPF General E Area Indexes E Interfaces B GRE Tunnels a meme Fields and buttons on the Network Routes OSPF Redistribute Modify form are as follows E Status provides a list with two selections O enabled enables the connected route redistribution O disabled disables the connected route redistribution E Metric provides an entry field for the metric used by all redistributed connected routes E Metric Type provides a list with the following two selections of OSPF exterior metric types for redistributed routes O tl applies additional calculations O t2 does not apply additional calculations E RMAP provides a list to select values in a range from 0 to 10 E Update submits the changes to the pending configuration Back returns to the Network Routes OSPF Redistribute form without submitting the changes to the pending configuration NORTEL 216383 D October 2005 68 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide DHCP Relay forms The three DHCP Relay forms are E General E Interfaces E Servers Network DHCP Relay General form Use the Network DHCP R
77. elay General form to display DHCP Relay settings and statistics see Network DHCP Relay General form Figure 43 Network DHCP Relay General form ae Switched Firewall History Network gt DHCP Relay gt General z DHCP Relay Settings E NSF 5100 Ticker DHCP Relay Status disabled z Cluster t B Network update B DNS E Ports DHCP Relay Statistics Routes 2 DHCP Relay Show DHCP Relay statistics LD B E Interfaces B Servers E Interfaces E Bridges H VRRP GRE Tunnels HE Status The Network DHCP Relay General form is presented in the following two sections E DHCP Relay Settings E DHCP Relay Statistics Fields and buttons on the form are as follows E DHCP Relay Settings O DHCP Relay Status provides a list with the following two selections o Disabled disables DHCP Relay o Enabled enables DHCP Relay O Update submits changes to the pending configuration NORTEL 216383 D October 2005 Browser Based Interface forms reference m 69 Nortel Switched Firewall Browser Based Interface Users Guide E DHCP Relay Statistics O DHCP Relay Statistics provides a list containing the following two selections o Show DHCP Relay statistics o Clear DHCP Relay statistics O Submit submits changes to the pending configuration Network DHCP Relay Interfaces form Use the Network DHCP Relay Interfaces form to configure the DHCP relay requests into the network see Network DHCP Relay Interfaces form
78. ence Nortel Switched Firewall Browser Based Interface Users Guide Network Routes OSPF interfaces Modify form Use the Network Routes OSPF Interfaces Modify form to modify a selected interface Figure 38 Network Routes OSPF Interfaces Modify form z Ona Switched Firewall History Network gt Routes gt OSPF gt Interfaces z Oct 4 2005 8 27 26 AM Logged as admin E System E NSF 5100 Ticker General Settings Cluster Ey Network Identifier 1 Dead 40 1 65535 DNs Status disabled Transmit ME E Ports Area Index 0 z eer E E S Routes Priority None j E Static Authentication none z Cost 1 0 1 65535 O none E Proxy ARP KEY cost2 200 P H Gateway ii 08539 MDS Auth Key 29 OSPF Hello 10 1 65535 B General E Area Indexes o Ca 8 B GRE Tunnels B Redistribute Fields and buttons on the Network Routes OSPF Interfaces Modify form are as follows E Identifier sets the numerical ID for the interface between 1 and 255 E Status provides a list with the following two options O enabled enables the interface operational status O disabled disables the interface operational status E Area Index provides a list to set the OSPF area index to attach to the network for this IP interface Priority sets the IP interface IF priority used when electing a Designated Router DR and Backup Designated Router BDR for the area TIP The default is 1 Cost 1 provides an entry field to set th
79. ent Station IP provides an entry field to specify the IP address of the Check Point SmartCenter Server where the Firewall log messages are sent Minimum Severity provides a list that specifies the severity of messages logged and sent to the ELA service O emerg O alert O crit O err O warning O notice O info O debug Management Station DN is the designated name of the Check Point SmartCenter Server Update submits the form changes to the pending configuration Pull SIC Certificate displays the following fields 46 m Browser Based Interface forms reference Firewall Director IP provides a list to specify the IP address of the individual Firewall for update TIP Do not use the MIP address OPSEC Application Name is the name of the ELA service configured on the Check Point SmartCenter Server Use the name specified when creating the OPSEC application in the Check Point SmartDashboard TIP Use a different OPSEC application for each Firewall OPSEC Password is the password used to configure the ELA service on the Check Point Management Station OPSEC Password again is used to verify the password Submit is used to submit the form and update the certificate on the specified Firewall NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Cluster Logs Archive form Use the Cluster Logs Archive form to specify system log rotation and system log archiving parameters see Cluster Logs
80. entry field for setting the end time filter Auditing displays the auditing information for the selected Firewall 148 m Browser Based Interface forms reference N RT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Maintenance forms Use the Diagnostics Maintenance Check Configuration form to check the applied configuration see Diagnostics Maintenance Check Configuration form Diagnostics Maintenance Check Configuration form Figure 113 Diagnostics Maintenance Check Configuration form Ena Switched Firewall History Diagnostics gt Maintenance gt Check Configur Oct 4 2005 10 49 04 AM Logged as admin eed Check Applied Configuration E NSF 5100 Ticker nasi aa lodes alrisds Ga Cluster Ga Network Available Selected Ga Firewall 1 gw 2 routes PE Operation Configuration Items 3 dns GY Administration 2 Diagnostics B Logs E Events E Audit Log E Tech Support Dump Be Note Configuration check will be performed on all items if none are selected S Maintenance Applied Configuration E Check Point Logs GQ System Commands SH Debug The Diagnostics Maintenance Check Configuration form is divided into the following two sections E Check Applied Configuration E Applied Configuration Fields and buttons on the form are as follows E Check Applied Configuration determines whether the NSF can contact configured gateways routes DNS servers and
81. eparate different selections within a window based menu bar host ls a System autoneg on off Select Edit Copy from the window s menu bar lt Key gt Non alphanumeric keyboard items are shown in regular type inside brackets When directed press the appropriate key Press the lt Enter gt key 8 m Preface NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide How to get help This section explains how to get help for Nortel products and services Getting help from the Nortel web site The best way to get technical support for Nortel products is from the Nortel Technical Support web site at www nortel com support This site provides quick access to software documentation bulletins and tools to address issues with Nortel products Use the Nortel Technical Support web site to do the following download technical information including the following items O software O documentation O product bulletins search the Technical Support web site and the Nortel Knowledge Base for answers to technical questions E signup for automatic notification of new software and documentation for Nortel equipment E open and manage technical support cases Getting help over the telephone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support web site you can get help over the telephone from a Nortel Solutions Cen
82. er between 1 and 6 for the 5109 and 5111 NE1 hardware platforms or 1 and 4 for other hardware platforms to associate with the interface ID number E VRRP Settings O Ipl provides an entry field to specify the first virtual IP address for the interface O Ip2 provides an entry field to specify the second virtual IP address for the interface applied for VRRP Active Active O Vrid provides a list to select a numerical ID between 1 and 255 for the virtual router E Update submits changes to the pending configuration Back returns to the Network Interfaces form without submitting changes to the pending configuration NORTEL 216383 D October 2005 76 Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Network Interfaces Add Interface form Use the Network Interfaces Add Interface form to add a new interface Figure 50 Network Interfaces Add New Interface form Nortel Switched Firewall B System E NSF 5100 Ticker 4 Cluster Ey Network B DNS H Ports H Routes DHCP Relay B E Bridges E VRRP E GRE Tunnels H Status 2 Firewall B Operation GQ Administration 2 Diagnostics History Network gt Interfaces Ei Oct 4 2005 8 44 50 AM Logged as admin A iG General Settings Identifier fs a Status disabled gt Management disabled gt IP Address1 0 000 format 10 10 1 75 IP Address2 poor format 10 10 1 76 Subnet Mask 0 0 0 0 Vi
83. er ID is set to 0 0 0 0 the Firewall host is automatically selected as the router ID E Router Id 2 provides an entry field to set the OSPF Router ID for the second Firewall host E Save Setting submits the changes to the pending configuration Network Routes OSPF Area Indexes form Use the Network Routes OSPF Area Indexes form to view and change the OSPF Area Index settings see Network Routes OSPF Area Indexes form Figure 35 Network Routes OSPF Area Indexes form ina Switched Firewall pop QQ Grover 6 G wizarps History Network gt Routes gt OSPF gt Area Indexes z Oct 4 2005 8 21 41 AM Logged as admin A a yfl wsF 5100 a System OSPF Area Indexes E NSF 5100 Ticker Id Enabled Area Id e Cluster No Area Index configured a Network E DNs Add New Area Index B Ports EX Routes E Static E Proxy ARP E Gateway 2 OSPF B General Type Actions fArea Indexes E Interfaces E GRE Tunnels E Redistribute Fields and buttons on the Network Routes OSPF Area Indexes form are as follows E Id provides the index number for the Area Index attached to the Firewall E Enabled indicates whether the Area Index is enabled or disabled Area Id provides the IP address identifying the Area Index Type indicates whether the Area Index is Transit default or Stub Actions provides the following selections if an Area ID is present O Delete deletes the Area Index adjacent to the button O Modify opens a form for modifying the
84. er Warnings form on page 49 Director s form Use the Cluster Director s form to view and change the Firewall Director Settings see Cluster Director s form Figure 19 Cluster Director s form Management General Settings Update IP address History Cluster gt Director s X Oct 4 2005 7 39 54 AM Logged as sdmin a Firewall Director Settings E NSF 5100 Ticker Ey Cluster MIP a Aa General Settings amp Logs E Wamings Ga Network 2 Firewall Cy Operation Administration 4 Diagnostics ID Hostname IP Address System Name 1 isd a10 10 1 1 10 10 141 NORTEL 216383 D October 2005 38 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide The Cluster Director s form is divided into the following two sections E Management IP Address E General Settings Fields and buttons on the Cluster Director s form are as follows E Management IP Address Oo MIP is the Management IP for the host MIP address identifies the cluster and must be unique on the network E General Settings NORTEL 216383 D October 2005 Oo Oo Oo o0 ID is the host identification number Hostname displays the name of the Firewall host IP Address is the network IP address for the host System Name is the set system name Actions provides the following three options o Click Halt to stop the Firewall TIP Always click Halt before turning the device off o
85. erface forms reference Add New Remote Syslog Server 10 0 0 0 format 10 10 1 75 New Server Severity err ba New Server Facility locall z New Server IP NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Fields and buttons on the Cluster Logs Syslog form are as follows System Log E Debug Messages displays a list with two choices O Disabled disables transmission of debug messages to the local system log O Enabled enables transmission of debug messages to the local system log E Source IP Mode displays a list with three choices O Auto the default setting specifies the IP address of the outgoing interface O Unique specifies the IP address of the individual NSF O MIP specifies the IP address of the cluster MIP Use this setting with applications designed for devices limited to one IP address for example some versions of HP OpenView E Update submits the debug message status change and the source IP mode change to the pending configuration The Remote Syslog Servers section of the Cluster Logs Syslog form is divided into the following two sections E Current Remote Syslog Servers m Add New Remote Syslog Server Current Remote Syslog Servers displays the following fields m IP Address specifies the remote syslog server in dotted decimal notation E Logging Severity specifies the severity of messages logged All messages of the selected severity or higher are logged
86. es in detail all of the forms associated with the BBI N RTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Typographic conventions The following table describes the typographic styles used in this book Table 1 Typographic conventions Typeface or Meaning Symbol Example AaBbCc123 This fixed width type is used for names of commands files and directories used within the text It also depicts on screen computer output and prompts AaBbCc123 This italicized type shows book titles special terms or words to be emphasized View the readme txt file Main Read your User s Guide thoroughly AaBbCc123 This fixed width bold type appears in com mand examples It shows text that must be typed in exactly as shown Main sys lt AaBbCc123 gt Italicized type within angle brackets appears in command examples as a parameter place holder Replace the indicated text with the appropriate real name or value when using the command Do not type the brackets To establish a Telnet session enter host telnet lt P address gt Command items shown inside square brack ets are optional and can be used or excluded as the situation demands Do not type the brackets Command items separated by the vertical bar depict a list of possible values only one of which should be entered The vertical bar is considered to mean or This can also be used to s
87. es to the pending configuration E Back returns to the Network Interfaces form without submitting changes to the pending configuration Bridges form Use the Network Bridges form to view and configure settings for bridges see Network Bridges form Figure 51 Network Bridges form SS Nortel Switched Firewall History Network gt Bridges z EB System nu E NSF 5100 Ticker e Cluster EXSY Network B ONS HB Ports B Routes H DHCP Relay E Interfaces VRRP GRE Tunnels amp Q Status B Firewall 9 Operation Administration e _ Diagnostics Ageing Id Enabled Ta Address1 Address2 Vlan Id Ports No Bridges configured Fields and buttons on the Network Bridges form are as follows E Id specifies the numerical ID between 1 and 25 for the bridge Enabled displays the bridge operational status as Yes or No Address specifies the address 1 of the bridge Address2 specifies the address 2 of the bridge Ports specifies the port number associated with the bridge ID Ageing Time specifies the bridge ageing time in seconds 78 m Browser Based Interface forms reference Logged as sdmin VRRP Actions Vlan Id specifies the numerical ID between 0 and 4094 for the VLAN NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide E VRRP specifies the virtual router ID and IP address of the IP interface configured for high availability or active active
88. for the interfaces on the bridge NORTEL 216383 D October 2005 Browser Based Interface forms reference m 87 Nortel Switched Firewall Browser Based Interface Users Guide Network Status Bridge Mac Entries form Use the Network Status Bridge Mac Entries form to display the bridge MAC entries for the selected Firewall Director see Network Status Bridge Mac Entries form Figure 59 Network Status Bridge Mac Entries form ovoid irv0r History Network gt Status gt Bridge Mac Entries z Bridge Mac Entries NSF 5100 Ticker a Ciir Firewall Director 10 10 1 1 z PS Network Host 10 10 1 1 B DNS B Pots Bridge No Mac Address Ageing Timer No Mac Entries Routes e DHCP Relay H Interfaces E Bridges E VRRP E GRE Tunnels B Status Interface E Link 8 Bridge Statistics Bridge Mac Entries Fields and buttons on the Network Status Bridge Mac Entries form are as follows E Firewall Director provides a list to select the Firewall Director for bridge MAC entry display Refresh provides the information for the selected Firewall Director Bridge No provides the numerical ID of the bridge Port provides the port number of the bridge Mac Address provides the MAC Address of the bridge Local specifies whether the bridge is local Ageing Timer displays the ageing timer NORTEL 216383 D October 2005 88 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Fi
89. ges when the global Apply command is issued O Enabled enables the display of warning messages about the state of pending configuration changes when the global Apply command is issued E Update submits the Warning selection to the pending configuration NORTEL 216383 D October 2005 Browser Based Interface forms reference m 49 Nortel Switched Firewall Browser Based Interface Users Guide Network forms The Network menu includes the following categories of forms E DNS see Network DNS form on page 51 E Ports see Network Ports form on page 52 E Routes O Static see Network Routes Static form on page 54 O Proxy ARP see Network Routes Proxy ARP form on page 57 O Gateway see Network Routes Gateway form on page 58 O OSPF General see Network Routes OSPF General form on page 59 Area Indexes see Network Routes OSPF Area Indexes form on page 60 Interfaces see Network Routes OSPF Interfaces form on page 62 GRE Tunnels see Network Routes OSPF GRE Tunnels form on page 64 o Redistribute see Network Routes OSPF Redistribute form on page 67 E DHCP Relay O O O O O General see Network DHCP Relay General form on page 69 O Interfaces see Network DHCP Relay Interfaces form on page 70 O Servers see Network DHCP Relay Servers form on page 72 Interfaces see Network Interfaces form on page 74 Bridges see Network Bridges form on page 78 VRRP see Network VRRP form on page 80 GRE Tunnels see Network GRE Tunnels form o
90. guration do the following 1 Select the appropriate menu item and subpage 2 Modify fields in the appropriate forms display areas 3 Click Update to submit the changes to the pending configuration Viewing pending changes To view pending changes before they are applied do the following 1 Click global Diff 2 View the global Diff form 3 Click Back to return to the current form Clearing pending changes To clear pending changes do one of the following E Click global Revert and return to the configuration TIP You cannot use the global Revert command to restore the previous configuration after you submit the Apply command H Close the browser Submitting changes To submit the form changes for application do the following 1 Click global Apply TIP The global Apply command allows updates on multiple forms to be put into effect all at once The Apply function validates the changes to the configuration before applying them and Apply fails if invalid settings are used See Figure 75 on page 107 Administration Monitor GUI Lock form To prevent conflicts any user logged in as administrator username admin can take control of the GUI lock before changing or creating a configuration NORTEL 216383 D October 2005 Basics of the Browser Based Interface m 23 Nortel Switched Firewall Browser Based Interface Users Guide 2 Click Submit See Global command forms for details on using Apply Diff Revert and Logo
91. heck point License feature string License String provides an entry field to specify the Check Point License string Save Page submits the changes to the pending configuration Back returns to the Firewall Licenses form without submitting changes to the pending configuration Installed License s form Use the Firewall Installed License s form to display information about current Check Point Licenses see Firewall Installed License s form E System E NSF 5100 Ticker e Cluster G3 Network EY Firewall E Settings 10 10 1 1 20Sep2006 _diWwFSf9sSeztAfvQUi2VeTN7Xu4pDDhMcok CPMP EVAL 1 IKE3DES NGX CK Figure 63 Firewall Installed License s form sy E SMART Clients B SecurlD History Firewall gt Installed License s z Oct 4 0 AM Logged as sdmin A A Installed Check Point License s Director 1P 10 10 11 7 tnop Host Expiration Signature Features 6E57EF4A6E91 H License Management Q Operation Administration Diagnostics Fields and buttons on the Firewall Installed License s form are as follows E Director IP provides a list of Director IP addresses NORTEL 216383 D October 2005 O Click Submit to request license information for the selected IP address Host identifies the host associated with the license information Expiration provides the license expiration date Signature provides the Check Point License string Browser Based Interface forms reference m 93 Nortel Switched Firew
92. ib io 1 apply Ta a O Mu ogout uelp History Firewall gt SMART Clients x Oct 4 2005 9 28 35 AM Logged as admin A a SMART Clients G system SMART Clients E NSF 5100 Ticker SMART Clients Addresses IP Address Action No client addresses configured E Settings E T ER New SMART Client IP E Installed License s E Synchronization E SecurlD Fields and buttons on the Firewall SMART Clients form are as follows m IP Address provides the IP Address of any configured SMART Clients Action provides fields to delete or modify any present SMART Clients New SMART Client IP provides a field to enter a new SMART Client IP address Update submits the new SMART Client IP address to the pending configuration NORTEL 216383 D October 2005 Browser Based Interface forms reference m 95 Nortel Switched Firewall Browser Based Interface Users Guide SecurlD form The SecurID form provides access to a two factor form method for centralized authentication and management see Firewall SecurID form For more information about SecurID see the Nortel Switched Firewall 5100 Series User 5 Guide and Command Reference 213455 L Figure 66 Firewall SecurlD form History Firewall gt SecurID Oct 4 2 6 AM Logged as admin A A NSF 5100 E System E NSF 5100 Ticker 2 Cluster SecurID Interface IP Address 0 0 0 0 Update Network Import SecurID Configuration Firewall om e J Settings File Browse License Managemen
93. ields and buttons on the Administration SNMP Trap Hosts form are as follows m IP Address specifies the IP address of the trap host TIP Use dotted decimal notation Port specifies the destination port to which the trap should be sent TIP The default is port 162 E Community v1 v2c specifies the community string for the trap host Trap User usm specifies the user employed for trap authentication E Actions provides the following two options O Delete deletes a trap host from the system O Modify permits modification to the selected trap host E Add New Trap Host provides access to the add form see Administration SNMP Trap Hosts Add Trap Host form on page 130 NORTEL 216383 D October 2005 Browser Based Interface forms reference m 129 Nortel Switched Firewall Browser Based Interface Users Guide Administration SNMP Trap Hosts Add Trap Host form Use the Administration SNMP Trap Hosts Add Trap Host form to add a trap host Figure 96 Administration SNMP Trap Hosts Add Trap Host form Nortel Switched Firewall History Administration gt SNMP gt Trap Hosts z ul NSF 5100 E System E NSF 5100 Ticker Ga Cluster IP Address 0 0 0 0 format 10 10 1 75 amp Network Port 162 a Firewall Community String v2c Q Operation SE Administration GQ Monitor C CED Users EB Access List E Telnet SSH H Web SNMP E General B System Trap User v3 E USM Users B MBs E Advanced Fiel
94. ion Users SSH Users form without submitting changes to the pending configuration NORTEL 216383 D October 2005 114 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Access List form Use the Administration Access List form to specify which clients are permitted to administer the system see Administration Access List form Web access must also be specified see Administration Web General form on page 118 Figure 83 Administration Access List form Nortel Switched Firewall History Administration gt Access List z Oct 4 2005 9 59 19 AM Logged as admin A A Client Access List a NSF 5100 Ticker Network Address Subnet Mask Actions S Cluster 10 10 1 0 255 255 255 0 CB E Network 0 0 0 0 0 0 0 0 Delete Firewall 172 25 3 0 255 255 255 0 EE Operation 134 177 223 0 255 255 255 0 B Administration 10 0 0 0 255 0 0 0 H Monitor 134 177 0 0 255 255 0 0 5G Users 134 177 144 0 255 255 255 0 Delete iss E SSH Users SEA E Telnet SSH Fields and buttons on the Administration Access List form are as follows E Network Address provides the IP address of the client E Subnet Mask provides the subnet address used for matching E Actions provides two buttons O Modify displays a form to modify client information O Delete deletes the selected entry TIP Deletion terminates the connection E Add New Access Control displays the Administration Access List Add f
95. isement Interval is used to set the interval between advertisement messages TIP Set the advertisement interval in seconds between 3 and 3600 Garp Broadcast Interval is used to set the value that when multiplied by the Advertisement Interval determines the interval between Gratuitous ARP GARP messages TIP The interval between GARP messages is set in seconds between 2 and 100 Garp Delay Interval displays and permits setting of the current GARP Delay Interval in seconds TIP The default value is 1 and the range is between 1 and 600 in seconds Advance FailOver Check O Enabled indicates that AFC is enabled and the system is set to ARP before initiating a failover caused by missed VRRP advertisements O Disabled indicates that AFC is disabled Preferred Master provides a list with the following three selections O disabled O host 1 o host2 Update submits the changes to the pending configuration Browser Based Interface forms reference m 81 Nortel Switched Firewall Browser Based Interface Users Guide GRE Tunnels form Use the Network GRE Tunnels form to view and modify GRE Tunnels settings see Network GRE Tunnels form Figure 54 Network GRE Tunnels form Nortel Switched Firewall History Network gt GRE Tunnels z j GRE Tunnels B System Cluster Id Name EnabledPhysical InterfaceRemote Addr Host 1 Tunnel Host 2 Tunnel Actions BY Network S 100 100 100 1 S 150 150 150 1 1GRE_Tunnel Yes 3 10 8
96. isk Usage provides the percentage of hard disk space used on the Firewall Memory Usage provides the percentage of memory used on the Firewall CPU Load provides the percentage of CPU used on the Firewall Application provides a list of the current applications running on the Firewall Current Status provides the current status of the applications running or disabled NORTEL 216383 D October 2005 Browser Based Interface forms reference m 103 Nortel Switched Firewall Browser Based Interface Users Guide E Uptime provides the time in Hours Minutes Seconds since the applications started E To help determine which physical host is using a particular IP Address click Beep Firewall Director to cause multiple beeps to be emitted at the host Administration Monitor Alarms form The Administration Monitor Alarms form provides information about alarm status see Administration Monitor Alarms form Figure 72 Administration Monitor Alarms form E System E NSF 5100 Ticker Cluster Network Firewall H Operation 3 Administration a Monitor E Director s E B Syslog E APC UPS Status GUI Lock E CL Logins E About CPU Temp Critical 10 10 1 1 Motherboard Temp Critical 10 10 1 1 Fields and buttons on the Administration Monitor Alarms form are as follows E Name provides the name of the alarm Severity temperature on host 10 10 1 1 has moved to critical 1077596940 degrees Celsius Motherboard temperature
97. its read and write access Events provides a list with the following selections o Enabled enables sending cluster event messages to SNMP trap hosts o Disabled disables sending cluster event messages to SNMP trap hosts Alarms provides a list with the following selections o Enabled enables sending cluster alarm messages to the SNMP trap hosts o Disabled disables sending cluster alarm message to the SNMP trap hosts E SNMPv1 v2c Options Oo Read Community String v1 v2c default setting is public TIP Change the default for effective security E SNMPv3 USM Options NORTEL 216383 D October 2005 Oo Security Level usm o none provides no authentication privacy o auth verifies the SNMP user before granting SNMP access and transmits in plain text e priv verifies the SNMP user before granting SNMP access and transmits encrypted information Browser Based Interface forms reference m 127 Nortel Switched Firewall Browser Based Interface Users Guide O Update submits the form changes to the pending configuration Administration SNMP System form Use the Administration SNMP System form to enter administrative information on behalf of the SNMP system see Administration SNMP System form Figure 94 Administration SNMP System form Nortel Switck History Administration gt SNMP gt System Logged as admin SNMP S Setti E System ERT E NSF 5100 Ticker bm Cluster Email Contact HS Netwo
98. k Point connection table size fw tab t connection Check Point connection table size summary fw tab t connections s Check Point interface list fw ctl iflist Check Point licenses cplic print x t Check Point memory statistics fw ctl ptstat Check Point policies fw stat Check Point version fw ver Check Point Status fw stat 1 Test Sync Network cphaprob stat Load Check Point Policy fw fetch localhost Oo OF 0 O O 0 0 O O NORTEL 216383 D October 2005 Browser Based Interface forms reference m 151 Nortel Switched Firewall Browser Based Interface Users Guide Unload Check Point Policy fw unloadlocal Current interfaces ifconfig Current running processes ps aefH Oo OF QO o0 Iptables information iptables L O ARP Table Entries info net arp arp n E Click Submit to execute the selected Check Point command Result displays the result of the selected command execution Debug forms Diagnostics Debug OSPF form Use the Diagnostics Debug OSPF form to configure OSPF debug settings see Diagnostics Debug OSPF form Figure 116 Diagnostics Debug OSPF form History Diagnostics gt Debug gt OSPF nd OSPF Debug Settit E System on E NSF 5100 Ticker Routing OSPF Debug Enabled e Cluster Generic Events No Network ISM Events No Firewall LSA Events No 4 Operation NSM Events No Administration Packets No EY Diagnostics Logs B Events E Audit Log B Tech Support Dump Mainten
99. k Routes Static Add Route form Use the Network Routes Static Add Route form to add a new static route to the configuration Figure 31 Network Routes Static Add Route form Oza Switched Firewall History Network gt Routes gt Static Add Route SSCS E System es E NSF 5100 Ticker Ga Cluster Destination 1P 0 0 0 0 format 10 10 1 75 2S Network Destination Mask 0 0 0 0 B ons Gateway IP 0 0 0 0 B Ports Sa Routes D G3 E Proxy ARP B Gateway He OSPF DHCP Relay H Interfaces E Bridges E VRRP GRE Tunnels aE Status Fields and buttons on the Network Routes Static Add Route form are as follows E Destination IP specifies the IP address of the route destination TIP Use dotted decimal notation E Destination Mask specifies the subnet mask for the route destination TIP Use dotted decimal notation E Gateway IP specifies the IP address of the gateway TIP Use dotted decimal notation Update submits the changes to the pending configuration E Back returns to the Network Routes Static form without submitting changes to the pending configuration 56 Browser Based Interface forms reference N RT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Network Routes Proxy ARP form Use the Network Routes Proxy ARP Address Resolution Protocol form to view and configure the Proxy ARP status and addresses that allow the Firewall to respond to Proxy ARP requests
100. k based Help system see Figure 13 E Task topic menu Select from a list of tasks using the menu on the left side of the Help window Each main task item is listed along with the subtasks under the current selection Select a different subtask to reveal the steps required to complete it E Forms area This area displays the steps required to complete the selected subtask 30 m Basics of the Browser Based Interface NORTEL 216383 D October 2005 NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Load Page link Click Load Page to display the form referenced on the task topic menu If the subtask has more than one step the steps are listed on the form O Click to display the information for the next subtask O Click 4 to display the information for the previous subtask Close button Click Close to close the task based Help window Basics of the Browser Based Interface m 31 Nortel Switched Firewall Browser Based Interface Users Guide NORTEL 216383 D October 2005 32 m Basics of the Browser Based Interface CHAPTER 3 Browser Based Interface forms reference BBI main menu selections The following eight selections are available on the Nortel Switched Firewall NSF Browser Based Interface BBI Config tab main menu System form on page 34 NSF 5100 Ticker form on page 34 Cluster forms on page 38 Network forms on page 50 Firewall forms on page 89 Operation forms
101. l Use the Check Point Firewall form to configure options such as enabling or disabling Check Point Firewall processing and synchronization status see Configure Check Point Firewall Wizard form Figure 123 Configure Check Point Firewall Wizard form History Configure gt Check Point Firewall x Mee A Check Point Firewall Configuration Wizard ey Initial Configuration a9 Add Check Point Firewall Status E interface BY Bridge EHS Configure eB Check Point j ce E Routes Gateways cD BY DHCP Relay B ospr Check Point firewall is disabled would you like to enable it disabled x NORTEL 216383 D October 2005 Browser Based Interface forms reference m 157 Nortel Switched Firewall Browser Based Interface Users Guide Routes Gateways Use the Routes Gateways form to configure static routes and default gateways Configure Routes Gateways Wizard form Figure 124 Configure Routes Gateways Wizard form Nortel History Configure gt Routes Gateways gt Static Routes and Default Gateways Wizard Add Static Routes or Default Gateways E initial Configuration a8 Add E interface Manage static routes EY Bridge c Manage default gateways B Configure a Check Point Firewall p Routes Gatewaysi E DHCP Relay B ospr DHCP Relay Use the DHCP Relay form to configure DHCP relay see Configure DHCP Relay Wizard form Figure 125 Configure DHCP Relay Wizard form
102. lays detailed information about the selected topic H Close button Click Close to close the context sensitive Help window Task based Help Task based Help directs the administrator through the steps of various common procedures To access task based Help click global Help and then click the Tasks bar The task Help menu appears in a new window with information appropriate for the current BBI form see Figure 13 Figure 13 Task based Help form Subpage menu Task topic Page Tasks Close gt Forms area menu Load Page link 00 plo 5 5 xj File Edt Vie Favorites Tools Help A X O f Oak O ix iz Gh A search geravorites meda E O7 h BG O Logged as semin A Nortel Switched Firewall v A s s200 Een e571 OD S a H Configuration Description EE Network Setup Task Help provides assistance with basic administration procedures B Administration such as setting up the network and enabling management interfaces Each section is viewed as a series of steps and one can move between 10 10 1 1 pages in a section by choosing the Previous or Next links The page Status 2 referenced in the steps can be loaded into the main browser window by Mesh te choosing the Load Page link NOTRe lt gt Done A interet The task based Help window consists of the following areas E Subpage menu Click Pages to display Help for the selected form Click Tasks to activate the tas
103. liability arising from the use of products described herein except as expressly agreed to in writing by Nortel Networks Inc The use and purchase of this product does not convey a license under any patent rights trademark rights or any other intellectual property rights of Nortel Networks Inc Nortel Nortel Networks the Nortel logo and the Globemark are trademarks of Nortel Networks Check Point OPSEC and SmartUpdate are trademarks of Check Point Software Technologies Ltd FireWall 1 and VPN 1 are registered trademarks of Check Point Software Technologies Ltd Portions of this manual are Copyright 2001 Check Point Software Technologies Ltd All Rights Reserved Portions of this manual are Copyright 2001 Dell Computer Corporation All Rights Reserved Any other trademarks appearing in this manual are owned by their respective companies 216383 D Contents Preface 7 Who should use this book 7 How this book is organized 7 Typographic conventions 8 How to get help 9 Getting help from the Nortel web site 9 Getting help over the telephone from a Nortel Solutions Center 9 Using an Express Routing Code to get help from a specialist 10 Getting help through a Nortel distributor or reseller 10 Chapter 1 Introduction 11 Characteristics of the BBI 11 Getting started 12 Requirements 12 Enabling the BBI 12 CLI configuration tasks 12 Setting up the web browser 14 Starting the BBI 14 Using the VRRP virtual IP address to
104. llows E Identifier is the interface identifier E IP Address is the interface IP address DHCP Requests enables or disables access for DHCP clients through the interface Update submits the changes to the pending configuration Back returns to the Network DHCP Relay Interfaces form without submitting changes to the pending configuration NORTEL 216383 D October 2005 Browser Based Interface forms reference m 71 Nortel Switched Firewall Browser Based Interface Users Guide Network DHCP Relay Servers form Use the Network DHCP Relay Servers form to display and modify the information about the DHCP Relay Servers see Network DHCP Relay Servers form Figure 46 Network DHCP Relay Servers form Nortel Switched Firewall History Network gt DHCP Relay gt Servers z B System DHCP Servers FE Cluster Id Enabled IP Address VRRP GROUP Actions BS Network 1 Yes 10 8 100 10 1 B ons E Ports Add New Server 4 Routes J DHCP Relay E General E Interfaces zme E Interfaces E Bridges E VRRP E GRE Tunnels HE Status B Firewall EE Operation B Administration B Diagnostics Fields and buttons on the Network DHCP Relay Servers form when DHCP servers are configured are as follows E Id provides the internal ID of the DHCP server E Enabled O Yes indicates that the DHCP server is enabled O No indicates that the DHCP server is disabled m IP Address specifies the IP address of the DHCP server E VRRP Grou
105. mand to enable management support for the VRRP interface cfg net if mgmt ena apply The virtual IP address is specified with the ip or ip2 command in the CLI menu For more information see the Nortel Switched Firewall 2 3 3 User s Guide and Command Reference Part No 213455 L Using the VRRP interface IP address enhances firewall security because users can configure the VRRP interface with the user defined CheckPoint policies SSI traffic is separate from the CheckPoint policies Logging in To log in enter the account name and password for the system administrator or operator account see Figure on page 16 For more login and password information see the Nortel Switched Firewall 2 3 3 User 5 Guide and Command Reference 213455 L NORTEL 216383 D October 2005 Introduction m 15 Nortel Switched Firewall Browser Based Interface Users Guide Figure 1 NSF Login window Welcome to the NSF 5100 series Please Login Username Password Loading the main page When the valid account name and password combination is entered on the login window the BBI default page appears in your browser viewing window see Figure 2 Figure 2 NSF BBI main page eee Switched Firewall WPVOGIB F101 Ib 1d few ovo bo t t History System x a E NSF 5100 Ticker e Cluster 2G Network 1G Firewall Q Operation CPU Load 16 Director Status G3 Administration Memory 32 9 Diagnostics Hard
106. ministration H Monit Monitor Password Expire Time EV Users General z i 2 am Password Expire Time 0 in seconds 0 never E SSH Users E Access List update E Telnet SSH Add New User The Administration Users General form is divided into the following two sections E Administration Users E Password Expire Time Fields and buttons on the form are as follows E Administration Users O Username provides the following default user names TIP You cannot remove the default names o Oper user is a member of the Oper Group and has read access to the NSF o root isa member of the Root Group and has read write access to the NSF o admin is a member of Admin and Oper Groups and has read write access to the NSF NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide O Group s displays the group to which the user belongs O Actions provides a Modify button used to modify passwords for the default user names or modify information for user names other than the defaults see Administration Users General Modify User form O Add New User provides access to the Add New User form used to add a new user name to a specified group and set the password see Administration Users General Add New User form on page 112 E Password Expire Time O Password Expire Time provides an entry field to set the password expiry time in seconds for the current user name TIP The password does n
107. ministration rai Users B Access List H Telnet SSH aS Web E General E Create Cert Seeger E CA Certs The Administration Web Server Certs form is divided into the following two sections E Server Certificates E Server Certificate Management Fields and buttons on the form are as follows Server Certificates O Id provides the identifier for the certificate Issuer identifies the issuer of the certificate Subject provides the subject of the certificate Serial Number provides the serial number of the certificate Valid From provides the date the certificate becomes valid Valid To provides the date the certificate expires Oo OF O 0 O Actions provides the following two selections visible if a certificate is present o Delete is used to delete a certificate from the system o Modify is used to modify the selected certificate NORTEL 216383 D October 2005 Browser Based Interface forms reference m 121 Nortel Switched Firewall Browser Based Interface Users Guide O Add New Server Certificate opens a form to add a new server certificate see Administration Web Server Certs Add Server Certificate form Server Certificate Management O Generate Certificate Request opens the request form see Administration Web Server Certs Generate Certificate Request form on page 123 O Export Certificate Request exports the certificate request Administration Web Server Certs Add Server Certificate form Us
108. n Monitor GUI Lock form allows an administrator to take control of the GUI lock and provide an alert message to other users see Administration Monitor GUI Lock form Taking control of the GUI lock prevents firewall configuration conflicts between concurrent user sessions Figure 75 Administration Monitor GUI Lock form History Administration gt Monitor gt GUI Lock z Oct 4 2005 9 44 20 AM Logged as admin E NSF 5100 Ticker Eee Cluster User Message H Network G9 Firewall GUI is currently not locked Q Operation Ey Administration XY Monitor E Director s E Alarms E Syslog E APC UPS Status E E CLI Logins B About Fields and buttons on the Administration Monitor GUI Lock form are as follows E User Message provides an entry field for the administrator taking control of the GUI lock to create a message This message displays to other administrators until the controller of the lock releases it E to take control of the GUI lock click Take The Lock The Lock form appears Fields and buttons on the Lock form are as follows E User Name provides an entry field to specify the name of the administrator who has taken control of the GUI lock E Lock Time provides an entry field to specify the time the GUI lock was taken Return to the Lock form to release the lock and do the following E To release the GUI lock before closing the current session click Release The Lock NORTEL 216383 D October 2005
109. n page 82 Status O Interface see Network Status Interface form on page 85 O Link see Network Status Link form on page 86 O Bridge Statistics see Network Status Bridge Statistics form on page 87 O Bridge Mac Entries see Network Status Bridge Mac Entries form on page 88 NORTEL 216383 D October 2005 50 Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide NoTE The NSF provides administrators with the option to configure Layer 2 and Layer 3 firewalls The Layer 2 and Layer 3 firewall configuration procedures differ only in the configuration of the IP addresses A Layer 3 firewall requires valid IP addresses for address 1 and address 2 A Layer 2 firewall requires no IP addresses For detailed Layer 2 and Layer 3 configuration see Nortel Switched Firewall 2 3 3 User s Guide and Command Reference 213455 L DNS form Use the Network DNS form to specify the Domain Name Service DNS servers Multiple servers are allowed see Network DNS form Figure 26 Network DNS form Nortel Switched Firewall History Network gt DNS z E System E NSF 5100 Ticker IP Address Action Cluster No DNS servers configured EY Network a New DNS IP CE Routes DHCP Relay E Interfaces E Bridges VRRP E GRE Tunnels B Status B Firewall EE Operation 1 Administration 1 Diagnostics Fields and buttons on the Network DNS form are as follows m IP Addre
110. nistration SSH Keys Import SSH Key form on page 137 E SSH Key Generation includes the following fields and buttons O Generate new Keys generates new SSH keys O Show SSH Keys shows the current SSH host keys for the cluster see Administration SSH Keys Show SSH keys form on page 138 Administration SSH keys Add New SSH key form Use the Administration SSH keys Add New SSH key form to add SSH keys to the configuration Figure 102 Administration SSH keys Add New SSH key form Nortel Sw n Ae NsF 5100 B System E NSF 5100 Ticker New SSH Key IP Address 9 Operation Sy Administration Monitor aS Users B Access List E Telnet SSH w Web Warning SSH key will be added immediately to the database No apply is required SSH Key Fields and buttons on the Administration SSH keys Add New SSH key form are as follows E IP Address provides an entry field to specify the IP address of the firewall E SSH Key displays the SSH host keys of the specified firewall E Save applies the changes without sending them to the pending configuration E Back returns to the Administration SSH keys for without submitting changes to the pending configuration 136 Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Administration SSH Keys Import SSH key form Use the Administration SSH Keys Import SSH Key form to import SSH keys see A
111. ns o Enabled indicates that Check Point Fire Wall 1 NGX is processing on the Firewall o Disabled indicates that Check Point FireWall 1 NGX is not processing on the Firewall O Update submits the changes to the pending configuration E Smart Update Management O Status provides a list with the following two selections o Enabled indicates that Check Point SmartUpdate software updating is enabled TIP Disable SmartUpdate management when software update is complete o Disabled indicates that Check Point SmartUpdate software updating is disabled O Update submits the changes to the pending configuration E Secure Internal Communication is used to establish Secure Internal Communications SIC between the management station and the Firewall O List of Hosts lists the Firewall hosts by IP address O Password provides a field to enter the Check Point SIC password TIP This password differs from the login password O Password again provides a field to reenter and confirm the Check Point SIC password O Reset SIC resets SIC for the Firewall NORTEL 216383 D October 2005 90 Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide License Management form Use the Firewall Licenses form to modify or install additional Check Point licenses on the Firewall see Firewall License Management form Figure 61 Firewall License Management form Gin Switched Firewall History Fi
112. ntry field to confirm the new password Click Change Password to submit the new password to the pending configuration Click Back to return to the Administration Users General form without submitting changes to the pending configuration Administration Users General Add New User form Use the Administration Users General Add New User form to add new users see Administration Users General Add New User form Nortel S Figure 80 Administration Users General Add New User form wall History Administration gt Users gt General E System B NSF 5100 Ticker GS Cluster Ga Network Ga Firewall Operation B Administration GQ Monitor og Users SSH Users E Access List E Telnet SSH Web SNMP E SSH Keys RADIUS 5 E APC UPS E Audit Add New User Username Available Selected admin Gime lar E Set Password admin s Current Login Password New Password New Password again Warning Users are added immediately to the database No apply is required Fields and buttons on the Administration Users General Add New User form are as follows E Add New User O Username provides an entry field to specify an identifier for the user O Group provides a selection list to specify the group for the user E Set Password O Current Login Password provides an entry field to specify the login password for the administrator O Password provides an entry field to specify a new password 112 m Br
113. on E Cluster 1 isd a10 10 1 1 Network B Firewall ES Operation B E Configuration HE Image Update H Administration B Diagnostics Fields and buttons on the Operation Director s form are as follows E ID specifies the ID of any configured Firewall E Name describes the name and IP address of any configured Firewall Action provides three management choices for the selected Firewall O Halt stops operation of the Firewall O Reboot shuts the Firewall down and restarts it O Delete removes the Firewall from the configuration NORTEL 216383 D October 2005 Browser Based Interface forms reference m 97 Nortel Switched Firewall Browser Based Interface Users Guide Configuration form Use the Operation Configuration form to export or import configuration files see Operation Configuration form Figure 68 Operation Configuration form Nortel Switched Firewall History Operation gt Configuration X E System E NSF 5100 Ticker Cluster Secret key Cc C E Network The case sensitive secret key is used to encrypt settings Firewall B Operation Import Cluster Configuration Director s a Fie Browse EE Image Update Secret key Administration G9 Diagnostics Import The case sensitive secret key is used to decrypt settings The Operation Configuration form is divided into two sections E Export Cluster Configuration Import Cluster Configuration Fields and buttons on the form are
114. on page 97 Administration forms on page 102 Diagnostics forms on page 145 Pages called forms are available for each menu selection Use these forms to configure manage or obtain information about the NSF BBI The following selections are available on the NSF BBI Wizards tab main menu E Initial Configuration E Add E Configure For more information about the Wizards forms see Wizards forms on page 154 N RTEL N 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide System form When you select System the Main page also known as the Monitor System form is displayed as shown in Monitor System form For more information about the System form see Interface components on page 17 Figure 14 Monitor System form NSF 5100 Ticker Cluster Network irewall Operation Administration Diagnostics History System z M Logged as admin 21 A Warning GUI is currently not locked Notice There are active alarms Information is available on Administration gt Monitor gt GUI Lock and Administration gt Monitor gt Alarms pages Go To Lock Page Go To Alarms Page I Refresh this page every 30 seconds Director Status Firewall Director s CPU Load 23 Memory 31 10 10 1 1 Status Hard Disk 12 MIP 10 10 1 10 Current Alarms 1 2 CPU Temp Critical 10 10 1 1 CPU temperature on host 10 10 1 1 has moved to crit 272 Motherboard Temn Critical 10 1011 Motherboar
115. ork Status Interface form Nortel S History Network gt Status gt Interface gt T system Interface Status E NSF 5100 Ticker Ga Cluster Firewall Director ALL 3 Cas Ea Network Host 10 10 1 1 B Dns Ports No Port Vian packa r A Routes c DHCP Relay E Interfaces E Bridges E VRRP E GRE Tunnels B Status E Link Bridge Statistics E Bridge Mac Entries NORTEL 216383 D October 2005 Browser Based Interface forms reference m 85 Nortel Switched Firewall Browser Based Interface Users Guide Network Status Link form Use the Network Status Link form to obtain information about all network interface ports see Network Status Link form Figure 57 Network Status Link form EY OSPF B General E Area Indexes E Interfaces E GRE Tunnels B Redistribute DHCP Relay EB General B Interfaces B Servers E Interfaces H Bridges E VRRP E GRE Tunnels B Status Interface B Bridge Statistics Bridge Mac Entries 2G Firewall EQ Operation 1G Administration e Diagnostics History Network gt Status gt Link z Feb 17 2005 1 50 53 PM Logged as admin A Firewall Director ALL Host 10 10 1 1 Port No Link Status AutoNeg 1 Down Up Down Down Down Down Fields and buttons on the Network Status Link form are as follows Firewall Director provides a list of all hosts on the system You can select ALL or individual hosts 86 m Browser Based Interface forms reference Update provide
116. orm see Administration Access List Add New Client Access form on page 116 NORTEL 216383 D October 2005 Browser Based Interface forms reference m 115 Nortel Switched Firewall Browser Based Interface Users Guide Administration Access List Add New Client Access form Use the Administration Access List Add New Client Access form to add a new client access to the configuration Figure 84 Administration Access List Add New Client Access form History Administration gt Access List 7 B System E NSF 5100 Ticker Cluster Client Network Address 0 0 0 0 Network Client Subnet Mask 0 0 0 0 B Firewall EE Operation cz Back E Administration amp Monitor a Users B General B SSH Users B Access List E Telnet SSH Fields and buttons on the Administration Access List Add New Client Access form are as follows E Client Network Address provides an entry field to record the new client address E Client Subnet Mask provides an entry field to record the new client subnet mask E Click Update to submit the new client access information to the pending configuration a Click Back to return to the Administration Access List without submitting changes to the pending configuration 116 m Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Telnet SSH form Use the Administration Telnet SSH form to enable or disable Telnet SSH
117. ot expire if the default value of 0 is used O Update confirms the password expiration value set for the current user name Administration Users General Modify User form Use the Administration Users General Modify User form to change the password for a specific user see Administration Users General Modify User form Figure 79 Administration Users General Modify User form History Administration gt Users gt General z Oct 47 AM Logged as admin A B il wsF 5100 E System PAULUS E NSF 5100 Ticker Userriame oper Cluster Group oper H Network Firewall Operation admin s Current Login Password EXSY Administration Monitor oper s New Password A 2 Users oper s New Password again 5 E SSH Users B Access List E Teer ssH c aE Web Set Password AN Warning Configuration done through this page is directly applied to the database Fields and buttons on the Administration Users General Modify User form are as follows E Username provides the username E Group provides the name of the group to which the user is assigned NORTEL 216383 D October 2005 Browser Based Interface forms reference m 111 Nortel Switched Firewall Browser Based Interface Users Guide H Current Login Password provides an entry field to record the current active password for the named user for example oper user or admin user Password provides an entry field to record the new password Password again provides an e
118. ou sure you want to exit NSF 5100 series administration B Cluster 1 Network Logout Gap lt lt Back B Firewall 4_____ Logout B Operation 1 Administration Diagnostics The global Logout form includes the following items E Logout button Click Logout to terminate the current user session TIP Any configuration changes made during this session that have not been applied are lost This command has no effect on pending changes in other open CLI or BBI sessions E Back button Click Back to return to the previously viewed form without logging out NORTEL 216383 D October 2005 28 m Basics of the Browser Based Interface Help Nortel Switched Firewall Browser Based Interface Users Guide The global Help form provides assistance with forms and tasks in the BBI Two kinds of Help are available context sensitive Help and task based Help Context sensitive Help Context sensitive Help displays detailed information about the currently displayed form in the BBI forms area Click global Help to view a new window showing Help information appropriate to your current options see Figure 12 Figure 12 Context sensitive Help form Subpage menu Help topic Pages Tasks Load Close menu 00 oso ernet Explo Elo xi Fie Edt ew Favorites Tools Help a A x DOn O A a Gleh rete Orde Oo vo i NSF 5100 o Page Help H General E Initial Configuration B Add H Network H Firewall
119. ours NORTEL 216383 D October 2005 Browser Based Interface forms reference m 47 Nortel Switched Firewall Browser Based Interface Users Guide If the log file rotate size is set to gt 0 log rotation occurs when one of the following conditions is met E The log file surpasses the rotate size E The log file rotation interval is reached Rotated log files are managed in one of the following ways when rotation occurs E The rotated log file is set aside E The rotated log file is e mailed TIP Specify an e mail address and SMTP server IP address When the log file is rotated a new log file is started 48 m Browser Based Interface forms reference N RT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Warnings form Use the Cluster Warnings form to enable or disable configuration warning messages see Cluster Warnings form Figure 25 Cluster Warnings form History Cluster gt Warnings x Oct 4 2005 3 AM Logged as admin a NSF 5100 Tick iii Warnings enabled z B Cluster E Director s Update 5 Time E Current Time E NTP Servers ENS Logs E Syslog B EA B Archive 5 H Network 1G Firewall EQ Operation 4G Administration B Diagnostics Fields and buttons on the Cluster Warnings form are as follows E Warnings displays a list with two selections O Disabled disables the display of warning messages about the state of pending configuration chan
120. owed and the changes are not applied This command has no effect on pending changes in other open CLI or BBI sessions See Figure 75 on page 107 for information about taking control of the GUI lock O Validate Configuration When selected this option validates pending changes for the current session but does not apply them The pending configuration changes are examined to ensure that they are complete and consistent If problems are found the following types of messages are displayed Warnings are in yellow Warnings identify conditions you should consider but which do not cause errors or prevent configuration application Errors are in red Errors identify serious configuration problems that require correction Uncorrected errors cause the Apply Changes command to fail If the configuration is valid select Apply Changes and click Submit to apply the changes O Runa Security Audit When selected this command lists security information Security information includes the status for remote management features such as Telnet SSH and the BBI for the cluster The IP addresses that access the remote management features are also listed The Run Security Audit command also lists users configured with default passwords that require change E Submit button Click to perform the action selected in the Apply Changes list E Back button Click to return to the previously viewed form without applying changes NORTEL 216383 D October 2
121. owser Based Interface forms reference NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide O Password again provides an entry field to confirm the new password E Save User saves the user information and returns to the Administration users General form TIP Save User applies the change Do not use the Apply command E Back returns to the Administration Users General form with saving the user information Administration Users SSH form Use the Administration Users SSH Users form to obtain and modify information about SSH users and to add new SSH Users see Administration Users SSH Users form Figure 81 Administration Users SSH Users form oroin tii E nc Switched Firewall Apply D Revert ooou a E System E NSF 5100 Ticker Enabled User Name User Full Name RSA DSA Public Key Actions Cluster No Remote SSH users configured Network 1 Firewall Add New SSH User 9 Operation SQ Administration amp Monitor EKG Users E General a E Access List E Telnet SSH Fields and buttons on the Administration Users SSH Users form are as follows E Enabled specifies the status of the SSH user account User Name specifies the name of the remote SSH user User Full Name specifies the descriptive name of the remote SSH user RSA DSA Public Key specifies the public key used for RSA and DSA authentication Actions provides the following two options O Modify provides fields to modify
122. p specifies the affinity to VRRP Group in active active mode E Actions provides the following two options O Modify provides a form to modify the server information O Delete deletes the selected server E Add New Server see Network DHCP Relay Servers Add New Server form on page 73 NORTEL 216383 D October 2005 72 Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Network DHCP Relay Servers Add New Server form Use the Network DHCP Relay Servers Add New Server form to add a new DHCP server Figure 47 Network DHCP Relay Servers Add New Server form History Network gt DHCP Relay gt Servers z h 005 02 Logged as admi a Wl usr 5100 E system H Cluster Identifier 1 B Network entier z B pns Status disabled 7 B Ports IP Address Joooo format 10 10 1 75 H Routes VRRPG 1 z a DHCP Relay E General TD gc E Interfaces SEWwoe E Interfaces E Bridges E VRRP E GRE Tunnels Status Fields and buttons on the Network DHCP Relay Servers Add New Server form are as follows NORTEL 216383 D October 2005 Identifier provides a numerical list with a range from 1 to 8 to specify the internal ID of the DHCP server Status provides a list with the following two selections O Enabled enables the user of DHCP services O Disabled disables the user of DHCP services IP Address provides a field to specify the IP address of the DHCP server VRRPG pro
123. provides an entry field for the tunnel destination IP address for host 1 O Mask provides an entry field for the tunnel subnet mask E Host 2 Tunnel O Source IP provides an entry field for the tunnel source IP address for host 2 O Destination IP provides an entry field for the tunnel destination IP address for host 2 O Mask provides an entry field for the tunnel subnet mask E Update submits the changes to the pending configuration E Back returns to the Network GRE Tunnels form without submitting changes to the pending configuration NORTEL 216383 D October 2005 84 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Status forms Following are four Network Status forms E Interface see Network Status Interface form E Link see Network Status Link form on page 86 E Bridge Statistics see Network Status Bridge Statistics form on page 87 E Bridge Mac Entries see Network Status Bridge Mac Entries form on page 88 Network Status Interface form The Network Status Interface form provides runtime information for all Ethernet ports on the Firewall Information includes errors dropped packets overruns and frames for all transmitted and received packets in addition to number of carriers and overruns for all transmitted TX packets see Network Status Interface form The Firewall Director list provides the option of selecting all or individual interfaces Figure 56 Netw
124. r APC UPS Status form The Administration Monitor APC UPS Status form provides information about status of the American Power Corporation uninterrupted power supply APC UPS see Administration Monitor APC UPS Status form Figure 74 Administration Monitor APC UPS Status form History Administration gt Monitor gt APC UPS Status z B Settings APCUPS E License Management E Installed License s APCUPS Status B Synchronization aPC 001 055 1299 E SMART Clients DATE Fri Mar 25 15 41 18 PST 2005 HOSTNAME al0 10 1 1 pete RELEASE 3 10 13 Director s VERSION 3 10 13 16 April 2004 redhat E Configuration UPSNAME UPS KEV CABLE Ethernet Link B Image Update MODEL SNMP UPS Driver 2a Administration UPSMODE Stand Alone 3 STARTTIME Wed Mar 23 10 42 21 PST 2005 e Monitor STATUS ONLINE E Director s LINEY 118 0 Volts LOADPCT 40 0 Percent Load Capacity E Alarms BCHARGE 100 0 Percent amp Syslog TIMELEFT 24 0 Minutes INBATTCHG 88 Percent MINTIMEL 3 Minutes MAXTIME 0 Seconds E CU Logins MAXLINEV 118 0 Volts g MINLINEV 118 0 Volts B About OUTPUTY 118 0 Volts SENSE High EH Users DWAKE 000 Seconds H Access List DSHUTD 090 Seconds DLOWBATT 05 Minutes E Telnet SSH LOTRANS 106 0 Volts ee HITRANS 127 0 Volts NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Administration Monitor GUI Lock form The Administratio
125. re 28 on page 53 52 m Browser Based Interface forms reference N RT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Network Ports Modify Port form Use the Network Ports Modify Port form to modify the settings for a selected port Figure 28 Network Ports Modify Port form QO Nortel History Network gt Ports z B System E NSF 5100 Ticker General Settings Cluster Ey Network Identifier H DNs Name none El Autonegotiation status enabled hd H Routes Pee E eed DHCP Relay far al E Interfaces _ full E Bridges Update Cz E VRRP E GRE Tunnels B Status The following fields can be modified on the Network Ports Modify Port form Identifier provides an entry field for a port number TIP Select a number between 1 and 6 E Name provides an entry field to specify a name for the port E Autonegotiation Status provides a list with the following two selections O Enabled enables port autonegotiation TIP Port speed setting is ignored if autonegotiation is enabled O Disabled disables port autonegotiation E Speed provides a list with the following selections o 0 Mbps O 10 Mbps O 100 Mbps O 1000 Mbps NORTEL 216383 D October 2005 Browser Based Interface forms reference m 53 Nortel Switched Firewall Browser Based Interface Users Guide E Mode provides for following two selections O Half duplex O Full duplex E Update submits
126. re visible only if routes are present O Delete to delete a route from the system O Modify to modify the parameters of a displayed route see Network Routes Static Modify Route form E Add New Route adds a new route to the configuration see Network Routes Static Add Route form on page 56 Network Routes Static Modify Route form Use the Network Routes Static Modify Route form to modify the parameters of a displayed route Figure 30 Network Routes Static Modify Route form History Network gt Routes gt Static Mar 24 2005 1 40 41 PM Logged as sdmin Ke Ga Cluster Ue Destination IP 207 197 1540 format 10 10 1 75 f DNs Destination Mask 255 2552550 E Ports Gateway IP fi92168 2491 og Routes TE C3 Proxy ARP E Gateway Fields and buttons on the Network Routes Static Modify Route form are as follows E Destination IP specifies the IP address of the route destination TIP Use dotted decimal notation E Destination Mask specifies the subnet mask for the route destination TIP Use dotted decimal notation E Gateway IP specifies the IP address of the gateway TIP Use dotted decimal notation Update submits the changes to the pending configuration NORTEL 216383 D October 2005 Browser Based Interface forms reference m 55 Nortel Switched Firewall Browser Based Interface Users Guide Back returns to the Network Routes Static form without submitting changes to the pending configuration Networ
127. rewall gt License Management z E System Check Point Licenses y E NSF 5100 Ticker IP Address In Use Licenses Actions B Cluster 10 10 1 1 Yes 1 B Network IS Firewall B Settings E icense Management E Installed License s Add New License Entry E Synchronization SMART Clients E SecurlD B Operation Administration Diagnostics Fields and buttons on the Firewall License Management form are as follows m IP Address is the address for the Firewall E In Use O Yes indicates that the IP address is currently assigned to a Firewall O No indicates that the IP address is available to configure a new Firewall E Licenses shows the number of Check Point licenses currently configured for each IP address E Actions provides two choices which are visible only if entries are present O Click Modify to modify the Check Point licenses for the IP address O Click Delete to delete the Check Point licenses for the IP address E Add New License Entry provides a form that permits addition of Check Point licenses for the IP address see Firewall License Management Add New License Entry form on page 92 NORTEL 216383 D October 2005 Browser Based Interface forms reference m 91 Nortel Switched Firewall Browser Based Interface Users Guide Firewall License Management Add New License Entry form Use the Firewall License Management Add New License Entry form to add Check Point licenses Figure 62 Firewall License Management
128. rewall forms The Firewall menu includes the following five categories of forms Settings see Settings form License Management see License Management form on page 91 Installed Licenses see Installed License s form on page 93 Synchronization see Synchronization form on page 94 SMART Clients see SMART Clients form on page 95 SecurID see Firewall SecurID form on page 96 Settings form Use the Firewall Settings form to change the Firewall status and reset Secure Internal Communications see Firewall Settings form Figure 60 Firewall Settings form History Firewall gt Settings Logged as sdmin E System B NSF 5100 Ticker P Cluster Network BS Firewall E License Management Synchronization SMART Clients B SecurlD Operation Administration Diagnostics E Installed License s amp Firewall Settings General Status enabled z Smart Update Management status disabled Update Secure Internal Communication 10 10 1 1 z Password again Reset SIC List of Hosts Password The Firewall Settings form is divided into three sections E General E Smart Update Management E Secure Internal Communication NORTEL 216383 D October 2005 Browser Based Interface forms reference m 89 Nortel Switched Firewall Browser Based Interface Users Guide Fields and buttons on the form are as follows E General O Status provides a list with these selectio
129. rk Cluster Name Firewall Cluster Location HE Operation E Administration Update amp Monitor Users B Access List E Telnet SSH HS Web SNMP B General Sac E Trap Hosts E USM Users B Mis E Advanced Fields and buttons on the Administration SNMP System form are as follows E Email Contact provides an entry field to specify the e mail address of the SNMP administrator E Cluster Name provides an entry field to specify a name for referencing the cluster Cluster Location provides an entry field to specify a name for referencing the cluster location E Update submits the form changes to the pending configuration 128 Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Administration SNMP Trap Hosts form The Administration SNMP Trap Hosts form lists configured trap hosts receiving SNMP event or alarm messages from the Firewall see Administration SNMP Trap Hosts form Figure 95 Administration SNMP Trap Hosts form Ora Switched Firewall History Administration gt SNMP gt Trap Hosts j SNMP Trap Hosts System id y E NSF 5100 Ticker IP Address Port Community v1 v2c Trap User usm Actions 1G Cluster No trap hosts configured Network fe Firewall 19 Operation FS Administration S Monitor G2 Users B Access List E Telnet SSH Web General System USM Users MIBs Advanced F
130. rm to view and change the dynamic routing settings for OSPF see Network Routes OSPF General form Figure 34 Network Routes OSPF General form Nortel Swi History Network gt Routes gt OSPF gt General z Oct 27 AM Logged as sdmin A a NSF 5100 Sida OSPF Dynamic Route Settings NSF 5100 Ticker ii a Status disabled z Spf Interval 5 0 65535 Spf Hold Time 10 0 65535 Router Id 1 0 0 0 0 format 10 10 1 75 ag Routes B Static Router Id 2 0 0 0 0 format 10 10 1 76 ia Pay A a B Gateway Ey OSPF Area Indexes Interfaces GRE Tunnels Redistribute 5 5 5 Fields and buttons on the Network Route OSPF General form are as follows Status displays a list with the following selections O Disabled disables OSPF O Enabled enables OSPF E Spf Interval provides an entry field to set the time interval in seconds between each calculation of the Shortest Path First SPF E Spf Hold Time provides an entry field to set the minimum time OSPF retains a shortest path calculation result to prevent another calculation from occurring too soon NORTEL 216383 D October 2005 Browser Based Interface forms reference m 59 Nortel Switched Firewall Browser Based Interface Users Guide E Router Id 1 provides an entry field to set the OSPF Router ID for the first Firewall host TIP OSPF uses the router ID to identify the routing device If no router ID is specified or if the rout
131. rrent Time E NTP Servers a Logs E Syslog 5l E Archive H Warnings 5G Network B Firewall 9 Operation 4G Administration Diagnostics NORTEL OT Atak Figure 23 Cluster Logs ELA form History Cluster gt Logs gt ELA x Check Point ELA Log General Settings Status disabled z Management Station IP 0 0 0 0 Minimum Severity err fa Management Station DN format cn cp_mgmt o d16c101 us nortel com 7ita89 CE Pull SIC Certificate Firewall Director IP 10 10 17 E OPSEC Application Name C 3 OPSEC Password __ ds OPSEC Password again Note The certificate will need to be pulled again if the SIC status of the OPSEC application is reset NoTE Configure an ELA service on the Check Point management station and transfer a SIC Certificate for the service to the Firewall to enable ELA logging For configuration details see the Nortel Switched Firewall 2 3 3 User 5 Guide and Command Reference 213455 L The Cluster Logs ELA Check Point ELA Log form is divided into the following two sections E General Settings H Pull SIC Certificate General Settings displays the following fields Status displays a list with two choices O Disabled disables Check Point ELA logging O Enabled enables Check Point ELA logging NORTEL 216383 D October 2005 Browser Based Interface forms reference m 45 Nortel Switched Firewall Browser Based Interface Users Guide E Managem
132. rrently only pending changes made during your current session are affected by use of the global Diff Revert or Logout commands However when multiple CLI or BBI administrators apply changes to the same set of parameters concurrently the latest applied changes take precedence TIP See Figure 75 on page 107 Administration Monitor GUI Lock form To prevent conflicts any user logged in as administrator username admin can take control of the GUI lock before changing or creating a configuration Pending change exceptions After submission most changes are considered pending and are not immediately put into effect or permanently saved However changes to the date or time zone and users and passwords take effect as soon as the form is submitted See Cluster Time Current Time form on page 40 and Administration Users General form on page 110 Lost changes Changes are lost if a new form is selected or the session is ended without submitting the information to the pending configuration Click Update or Submit on the form to submit changes to the pending configuration NORTEL 216383 D October 2005 22 m Basics of the Browser Based Interface Nortel Switched Firewall Browser Based Interface Users Guide Pending changes are also discarded if you do not submit them before the inactivity timeout value on BBI sessions elapses The BBI inactivity timeout value is five minutes and cannot be changed Creating a configuration To create a confi
133. s Add New GRE Tunnel form to add a new GRE tunnel to the configuration Figure 55 Network GRE Tunnels Add New GRE Tunnel form History Network gt GRE Tunnels z Mar 24 2005 2 20 17 PM Logged as sdmin a Add GRE Tunnel H Cluster Identifier 1 z a Network B DNs Name 1 16 characters only B Ports Status disabled z SE Routes Physical Interface j1 Ej l a Remote Address 0 0 0 0 B Interfaces E Bridges Host 1 Tunnel Host 2 Tunnel E VRRP B8 C amp A Source IP 0 0 0 0 Source IP 0 0 0 0 Status Destination 1P 0 0 0 0 Destination 1P 0 0 0 0 Firewall Mask 0 0 0 0 Mask 0 0 0 0 Operation H Administration D C Diagnostics Fields and buttons on the Network GRE Tunnels Add new GRE Tunnel form are as follows E Add GRE Tunnel O Identifier provides a list to specify the numerical ID between 1 and 5 for the GRE tunnel O Name provides an entry field to specify the GRE tunnel name O Status provides a list containing two selections o Disabled o Enabled O Physical Interface provides a list to specify a numerical value between 1 and 255 O Remote Address provides an entry field to specify the remote IP address of the GRE tunnel NORTEL 216383 D October 2005 Browser Based Interface forms reference m 83 Nortel Switched Firewall Browser Based Interface Users Guide E Host 1 Tunnel O Source IP provides an entry field for the tunnel source IP address for host 1 O Destination IP
134. s Guide Diagnostics forms The Diagnostics forms provide information about logs forms to check configuration and Check Point Logs system commands and OSPF Debug settings The Diagnostic forms menu includes the following categories of forms Logs see Logs form Events see Events form on page 147 E H Audit Log see Audit Log form on page 148 E Maintenance see Maintenance forms on page 149 E System Commands see System Commands form on page 151 Ba Debug see Debug forms on page 152 Logs form The Diagnostics Logs form displays the contents of the log file collected from the selected Firewall host see Diagnostics Logs form Figure 110 Diagnostics Logs form v T T D t oou relp History Diagnostics gt Logs 7 Logged as admin A Log Information Firewall Director 10 10 11 Log Files for 10 10 1 1 E System NSF 5100 Ticker 3 Operation Administration 2 Diagnostics Last Modification Actions Jul 8 10 02 Aug 30 18 02 File Name logs clierror log 1 logs clierror log 2 B Logs E Events E Audit Log 5 Tech Support Dump H Maintenance System Commands amp Debug NORTEL 216383 D October 2005 Oct 4 10 02 Oct 3 15 02 May 25 00 03 Download Aug 14 02 03 Download Aug 23 13 02 Download Sep 1 20 03 Download Sep 10 21 03 Download Sep 20 10 02 Download Sep 27 15 29 Download Jun 3 09 02 Download Jun 11 16 02 Jun 20 23 03 Jun 29 01 03 Jul 8 19 03 Jul 18 12
135. s information about the selected hosts Port No provides the port number on the selected host Link Status displays the link as UP or DOWN Autoneg specifies whether autonegotiation is set on the port Speed specifies the link speed in Mbps as 10 100 or 1000 Mode specifies the operating mode as Full Duplex or Half Duplex NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Network Status Bridge Statistics form Use the Network Status Bridge Statistics form to view the bridge statistics for the selected firewall see Network Status Bridge Statistics form Figure 58 Network Status Bridge Statistics form 2 Nortel Switched Firewall History Network gt Status gt Bridge Statistics z Bridge Statistics B System B NSF 5100 Ticker Ga Cluster Firewall Director 1010115 D a9 Network B DNs 7 z a Ports Bridge Name Bridge Id STP Enabled Interfaces Host 10 10 1 1 H Routes a DHCP Relay B Interfaces E Bridges E VRRP E GRE Tunnels B Status Interface Link Aen 8 Bridge Mac Entries Fields and buttons on the Network Status Bridge Statistics form are as follows Firewall Director provides a list of hosts in the system Refresh provides the statistics for the selected host Bridge Name specifies the name of the selected bridge Bridge Id specifies the ID of the selected bridge STP Enabled indicates whether or not STP is active Interfaces provides statistics
136. see Network Routes Proxy ARP form Figure 32 Network Routes Proxy ARP form History Network gt Routes gt Proxy ARP z Ld ARP B System ati E NSF 5100 Ticker CER G4 Cluster Sa Network Proxy SFD Addresses and Cluster MIP Address disabled B DNs E Ports z 9 Routes Proxy ARP Addresses Static i IP Address VRRP Group ae 10 127 235 13 1 B Gateway OSPF DHCP Relay NewProxyARPIP 5 Interfaces VRRP Group pa H Bridges E VRRP cx GRE Tunnels aS Status The Network Routes Proxy ARP form is divided into the following two sections E General E Proxy ARP Addresses Fields and buttons on the form are as follows E General O Proxy Status contains a list displaying the following selections o Disabled disables Proxy ARP for the cluster o Enabled enables Proxy ARP for the cluster O Update submits the Proxy status change to the pending configuration E Proxy ARP Addresses O IP Address lists the IP addresses for which the Proxy provides ARPs in the cluster O VRRP Group lists the VRRP group if VRRP is set up for which the Proxy provides ARPs in the cluster O Action provides the delete selection used to delete the IP address if at least one Proxy ARP address is present NORTEL 216383 D October 2005 Browser Based Interface forms reference m 57 Nortel Switched Firewall Browser Based Interface Users Guide O New Proxy ARP IP provides an entry field to specify an IP address TIP Use dotted decimal
137. server settings O Add New Auditing Server see Administration Audit Add RADIUS Auditing Server form Administration Audit Add RADIUS Auditing Server form Use the Administration Audit Add RADIUS Auditing Server form to add a RADIUS auditing server Figure 109 Administration Audit Add RADIUS Auditing Server form ais Switched Firewall History Administration gt Audit fes Pall system Add RADIUS Auditing Server O O OOOO OOOO O O E NSF 5100 Ticker IP Address 0 0 0 0 Port 1813 Shared Secret E Administration Update Back S Monitor H Users E Access List E Telnet SSH 1 Web Ga SNMP E SSH Keys B RADIUS E APC UPS E mi Fields and buttons on the Administration Audit Add RADIUS Auditing Server form are as follows E IP Address provides an entry field to specify the IP address of the RADIUS auditing server Port provides and entry field to specify the TCP port number Shared secret provides an entry field to specify the RADIUS shared secret NORTEL 216383 D October 2005 Browser Based Interface forms reference m 143 Nortel Switched Firewall Browser Based Interface Users Guide E Update submits the changes to the pending configuration E Back returns to the Administration Audit form without submitting changes to the pending configuration NORTEL 216383 D October 2005 144 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface User
138. sion provides two check boxes to specify the type of permission allowed for the user O Get O Trap E Authentication Password provides an entry field to specify the password used in MD5 authentication Authentication Password again provides an entry field to confirm the password E Encryption Password provides an entry field to specify the password used in DES entryption E Encryption Password again provides an entry field to confirm the password TIP When a user is added set both passwords E Update submits the new trap host data to the pending configuration 132 m Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide E Back returns to the Administration SNMP USM Users form without submitting changes to the pending configuration Administration SNMP MIBs form The Administration SNMP MIBs form displays all of the SNMP MIB files available on the Firewall see Administration SNMP MIBs form Figure 99 Administration SNMP MIBs form B System E NSF 5100 Ticker File Name Ga Cluster altroot mib Ga Network alteon_asf5100 mib B Firewall ALTEON ISD PLATFORM MIB mib Operation EY Administration amp Monitor Users B Access List E Telnet SSH t Web a SNMP E General E System E Trap Hosts E USM Users MEE 3 Advanced Fields and buttons on the Administration SNMP MIBs form are as follows E File Name li
139. ss specifies the IP address of a configured DNS server E Action displays a Delete button if a DNS server is present E New DNS IP provides an entry field to specify a new DNS server address TIP Use dotted decimal notation E Update submits the DNS server address changes to the pending configuration NORTEL 216383 D October 2005 Browser Based Interface forms reference m 51 Nortel Switched Firewall Browser Based Interface Users Guide Ports form Use the Network Ports form to configure network port settings see Network Ports form Figure 27 Network Ports form Nortel Switched Firewall E NSF 5100 Ticker Name Autonegotiation H Cluster Host Port Yes EY Network REE B ons none D ge none H Routes H DHCP Relay E Interfaces E Bridges B VRRP GRE Tunnels HQ Status Firewall Q Operation Administration B Diagnostics Fields and buttons on the Network Ports form are as follows E Port specifies the port number on the Firewall E Name provides the name of the port E Autonegotiation provides two choices O Yes indicates that autonegotiation is enabled O No indicates that autonegotiation is disabled E Speed specifies the port data rate in Mbps of 0 10 100 or 1000 TIP Port speed is not applicable if autonegotiation is enabled H Mode provides two duplex options O Half O Full E Action provides the option to modify a form and update port settings see Network Ports Modify Port formFigu
140. st H Telnet SSH aS Web E General E Create Cert fe Server Certs 5 Gers G SNMP Identifier 1 Fields and buttons on the Administration Web CA Certs Add Server Certificate form are as follows E Identifier provides the assigned number of the certificate issuer H Update submits the certificate data to the pending configuration Back returns to the Administration Web CA Certs form without submitting changes to the pending configuration NORTEL Browser Based Interface forms reference m 125 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide SNMP forms Use the Administration SNMP forms to enable or disable SNMP event and alarm messages enter administrative information for the SNMP system list configured trap hosts administer USM users and configure the source IP address used with SNMP traps Administration SNMP provides the following forms General see Administration SNMP General form System see Administration SNMP System form on page 128 Trap Hosts see Administration SNMP Trap Hosts form on page 129 USM Users see Administration SNMP USM Users form on page 131 MIBs see Administration SNMP MIBs form on page 133 Advanced see Administration SNMP Advanced form on page 134 Administration SNMP General form Use the Administration SNMP General form to enable or disable SNMP event and alarm messages for the Firewall see Administration SNMP General form Figure 93 Administra
141. st To delete a client access list select the g Bridge access list you wish to delete GRE Tunnel m O 10 1 1 m 0 0 0 BS Configure 10 10 1 0 24 0 0 0 0 0 Check Point Firewall D 172 25 3 0 24 I 134 177 223 0 24 E Routes Gateways M 10 0 0 0 8 M 134 177 0 0 16 E DHCP Relay I 134 177 144 0 24 B ospr a R To add new client access list enter information below and click Add new amp best Enter Client Network Address fo 0 0 0 Enter Client Subnet Mask 0 0 0 0 pain CD OUR cans NORTEL 216383 D October 2005 Browser Based Interface forms reference m 159 Nortel Switched Firewall Browser Based Interface Users Guide Users Use the User Administration Wizard to perform user administration tasks and configuration such as add modify or delete a user see User Administration Wizard form Figure 128 User Administration Wizard form pos Switched Firewall CONFIG User Administration Wizard Add New User initial Configuration Ey Add E interface Select an existing user that you wish to modify or enter a username to configure the new one E Bridge oper E GRE Tunnel root E19 Configure Please select an existing user to modify admin 2 Check Point Firewall E Routes Gateways REENA E 7 DHCP Relay B osPF Available Selected admin fe Rangt Access oper E zj A Warning Users are added immediately to the database No apply is required Bar CE N
142. sts the SNMP MIB files existing on the Firewall E Action O Download permits downloading of the selected MIB file to the client system NORTEL 216383 D October 2005 Browser Based Interface forms reference m 133 Nortel Switched Firewall Browser Based Interface Users Guide Administration SNMP Advanced form Use the Administration SNMP Advanced form to configure the source IP address used with SNMP traps generated from the Firewall see Administration SNMP Advanced form Figure 100 Administration SNMP Advanced form History Administration gt SNMP gt Advanced z Ee SNMP Advanced Settings ys B NSF 5100 Ticker Source IP auto hd Ga Cluster Ga Network update Ga Firewall S Operation B Administration Monitor Users B Access List E Telnet SSH aS Web SNMP E General E System E Trap Hosts E USM Users B MBs a Fields and buttons on the Administration SNMP Advanced form are as follows E Source IP provides a list with the following selections O auto is the default and uses the IP address of the outgoing interface O unique uses the IP address of the NSF management port O MIP uses the cluster MIP address E Update submits the source IP information to the pending configuration 134 m Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide SSH Keys form Use the Administration SSH keys form to display the curren
143. t Installed License s Synchronization a SMART Clients 9 Operation Administration amp Diagnostics SecurID Interface Settings Ni ORTEL aks The SecurID form is divided into two sections Fields and buttons on the SecurID Interface Settings section are as follows E SecurlD Interface IP Address specifies the Master Firewall external interface used to communicate with the SecurID server Click Update to submit the SecurID interface address change to the pending configuration Fields and buttons on the Import SecurID Configuration section are as follows E File specifies the SecurID configuration file name TIP Click Browse to locate and select a file name E Click Import to import the SecurID configuration specified in the sdconf rec file NORTEL 216383 D October 2005 96 m Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide Operation forms The Operation menu includes the following three categories of forms E Director s see Director s form E Configuration see Configuration form on page 98 E Image Update see Image Update forms on page 99 Director s form Use the Operation Director s form to control the Firewall see Operation Director s form Figure 67 Operation Director s form honorbinnoyibi i History Operation gt Director s X Oct 4 20 0AM Logged as admin Ak E System Host Operations E NSF 5100 Ticker ID jae Acti
144. t Host Keys and generate new SSH keys for the cluster see Administration SSH keys form Figure 101 Administration SSH keys form Cen Switched Firewall History Administration gt SSH Keys z7 EB System E NSF 5100 Ticker Fingerprint No SSH Keys configured aS Administration SSH Key Generation Monitor Users B Access List E Telnet SSH S Web HS sS The Administration SSH keys form is divided into the following two sections E SSH Known Host Keys E SSH Key Generation Fields and buttons on the Administration SSH keys form are as follows E SSH Known Host Keys displays the current host keys for the cluster This section is used to manage known SSH host keys of firewalls and includes the following fields and buttons O Dis the numerical ID of the generated SSH key O Host is the IP address of the remote host containing the SSH key import target O Type specifies the encryption type of the SSH key RSA or DES O Fingerprint displays the fingerprint of the SSH key O Action provides a Delete button if SSH keys are configured Click Delete to delete the specific SSH key from the registry O Add New SSH Key formats and stores the specified SSH key see Administration SSH keys Add New SSH key form on page 136 NORTEL 216383 D October 2005 Browser Based Interface forms reference m 135 Nortel Switched Firewall Browser Based Interface Users Guide O Import SSH Key imports an SSH key from a remote host see Admi
145. tatus of the GUI lock Any user logged in as administra tor username admin can activate the GUI lock before changing or creating a configura tion See Figure 75 on page 107 20 m Basics of the Browser Based Interface N RT E L 216383 D October 2005 NORTEL 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide History list The History list displays the path to the current page Up to nine of the most recently visited pages are listed most recent first TIP Click a list item to go directly to that page Forms display area The Forms display area contains fields that display information or allow you to specify information for configuring the system The fields are different for each subpage Global command buttons The global command buttons are always available at the top of each form see Figure 3 on page 17 and Figure 7 Figure 7 Global command buttons G Apply A Diff C Revert 6 Logout G Help The global commands summon forms used for saving examining or canceling configuration changes for logging out and for displaying Help information for the current page see Global command forms on page 24 Director status appears on the left side of the forms display area under the Monitor System bar Director status summarizes the status of the cluster including CPU memory and hard disk The Firewall icon appears on the right side of the forms display area under the Monitor System bar
146. ter You must have a Nortel support contract to use the Nortel Solutions Center To reach a Nortel Solutions Center do one of the following E In North America call 1 800 4NORTEL 1 800 466 7835 H Outside North America go to the following web site to obtain the telephone number for your region www nortel com callus NORTEL 216383 D October 2005 Preface m 9 Nortel Switched Firewall Browser Based Interface Users Guide Using an Express Routing Code to get help from a specialist You can find Express Routing Codes ERC for many Nortel products and services on the Nortel Technical Support web site ERCs allow you to connect directly to service and support organizations based on specific products or services To locate the ERC for your product or service go to www nortel com erc Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller NORTEL 10 m Preface 216383 D October 2005 CHAPTER 1 Introduction This chapter explains how to enable the Browser Based Interface BBI set up your web browser and launch the BBI to access the Nortel Switched Firewall NSF system management features from your web browser Characteristics of the BBI Following are the characteristics of the BBI NORTEL 216383 D October 2005 Intuitive interface structur
147. the selected SSH user O Delete deletes the selected SSH user E Add New SSH User see Administration Users SSH Users Add New SSH User form on page 114 NORTEL 216383 D October 2005 Browser Based Interface forms reference m 113 Nortel Switched Firewall Browser Based Interface Users Guide Administration Users SSH Users Add New SSH User form Use the Administration Users SSH Users Add New SSH User form to add a new SSH user to the configuration Figure 82 Administration Users SSH Users Add New SSH User form History Administration gt Users gt SSH Users z Oct 4 AM Logged as sdmin A a j Add New SSH User E System E NSF 5100 Ticker Status disabled B Cluster 7 na Network User Name Firewall User Full Name E Operation RSA DSA Public Key ES Administration amp Monitor a Users B General 5 ISSH Users B Access List E Telnet SSH Fields and buttons on the Administration Users SSH Users Add New SSH User form are as follows Status provides a list with the following two selections O Enabled enables the SSH user O Disabled disables the SSH user E User Name provides an entry field to specify the name of the remote SSH user E User Full Name provides an entry field to specify the descriptive name of the remote SSH user E RSA DSA Public Key provides an entry field to specify the public key E Save SSH User saves the changes to the pending configuration E Back returns to the Administrat
148. tion SNMP General form Nortel Swi WIZARDS E System NSF 5100 Ticker a status enabled al Gy Cluster Network Security Model v2c z usm means SNMPv3 Gy Firewall Access disabled Operation Events disabled Ey Administration Alarms disabled x Monitor Users SNMPv1 v2c Options B Access List E Telnet SSH Read Community String v1 v2c public aE Web SNMPv3 USM Options SNMP B Security Level usm auth E System E Trap Hosts aa E USM Users E MiBs E Advanced The Administration SNMP General form is divided into three sections E SNMP Settings E SNMPv1 v2c Options NORTEL 216383 D October 2005 126 Browser Based Interface forms reference Nortel Switched Firewall Browser Based Interface Users Guide E SNMPv3 USM Options Fields and buttons on the form are as follows E SNMP Settings Oo Status provides a list with the following selections o Enabled enables the SNMP agent o Disabled disables the SNMP agent Security Model provides a list used to specify the form of SNMP security with the following selections o vl specifies the SNMPv 1 security model o v2c specifies the SNMPv2c security model o usm specifies the SNMPv3 USM security model Access provides a list with the following selections o Disabled disables SNMP read write capacity Users receive only enabled event and alarm messages o Read permits read access o Read write perm
149. tor s form displays Firewall director details and application status see Administration Monitor Director s form Figure 71 Administration Monitor Director s form History Administration gt Monitor gt Director s z Oct 4 5 9 38 20 AM Logged as admin A A j Monitor Firewall Director s B System E NSF 5100 Ticker p i a Refresh Ga Cluster List of iSDs ALL z PE Network SFD 10 10 1 1 Firewall 9 Operation Director Name isd a10 10 1 1 tS Ad System Name R Aaaa Management IP 10 10 1 10 Monitor MAC Address 00 E0 81 26 59 18 m System Uptime 165 25 53 A Nama Hard Disk Usage 13 Memory Usage 32 fe Syslog CPU Load 12 H APC UPS Status GUI Lock 5 CUI Logins Application Current Status Uptime Firewall Running 162 00 20 B About Web Server Running 162 00 38 Users SNMP Running 18 34 57 B Access List E Telnet SSH Fields and buttons on the Administration Monitor Director s form are as follows E List of iSDs provides a list containing individual iSD selections or ALL O Refresh updates the display with the details for the selection from the list of iSDs Director Name provides the name of the Firewall Director System Name provides the designated name of the system Management IP provides the Management IP MIP of the Firewall MAC Address provides the MAC address of the Firewall System Uptime provides the time in Hours Minutes Seconds since the last boot of the Firewall Hard D
150. tory Administration gt Web gt Create Cert z Oct 4 M Logged as sdmi E NSF 5100 Ticker HE Cluster Common Name Network Two Letter Country Code G Firewall Key Size a2 Operation P Administration Monitor Users B Access List E Telnet SSH 2 Web E General S Server Certs E CA Cers Fields and buttons on the Administration Web Create Cert form are as follows E Common Name provides an entry field to specify the common name for use with the certificate E Two Letter Country Code provides an entry field to specify the country code to be used E Key Size provides a list to select the size of the encryption key with these selections O 512 O 1024 O 2048 E Submit submits the self signed certificate data to the pending configuration 120 Browser Based Interface forms reference N ORT E L 216383 D October 2005 Nortel Switched Firewall Browser Based Interface Users Guide Administration Web Server Certs form Use the Administration Web Server Certs form to administer server certificates on the Firewall see Administration Web Server Certs form Figure 88 Administration Web Server Certs form G Logo p History Administration gt Web gt Server Certs z Oct 4 AM Logged as admin A E Server Certificates E NSF 5100 Ticker Id Issuer Subject Serial Number Valid From valid To Actions Cluster No server certificates entered H Network B Firewall 2 Operation Server Certificate Management B Ad
151. tructed as follows E Source IP address of the SMART Client or IP address range of the management network E Destination Host IP address of the Firewall E Service HTTP for non secure access or SSL for HTTPS access E Action Allow select Nortel Switched Firewall Setting up the web browser Most web browsers work with JavaScript by default and require no additional setup Check the features and configuration of your web browser to ensure JavaScript is enabled NOTE JavaScript is not the same as Java Ensure that JavaScript is enabled in your web browser Starting the BBI When the Firewall and browser setup is complete use the following steps to launch the BBI 1 Start your web browser 2 Enter one of the following in the URL field of the web browser a host IP address b host IP address as a name when IP address is assigned a name on the local domain name server NORTEL 216383 D October 2005 14 m Introduction Nortel Switched Firewall Browser Based Interface Users Guide c MIP address d virtual IP address see Using the VRRP virtual IP address to access the NSF BBI The NSF login window opens 3 Log in see Logging in 4 Allow the main page to load see Loading the main page on page 16 Using the VRRP virtual IP address to access the NSF BBI To use the VRRP virtual IP address for firewall access by web browser enable management support for the VRRP interface Use the following CLI com
152. ut Global command forms The global command buttons are always available at the top of each form These buttons summon forms used to save examine or cancel configuration changes log out and to display Help information Each global command form provides options to verify or cancel the command Apply Changes Use the global Apply Changes form to check the validity of the pending configuration changes for the current session and to save the configuration changes and put them into effect see Figure 8 Figure 8 Apply form Nortel S History System X mE E NSF 5100 Ticker P Cluster ApplyChanges 2 E Network Firewall Back Operation 1 Administration 9 Diagnostics The global Apply form includes the following items E Apply Changes list to use this menu select one of the following commands and click Submit O Apply Changes NORTEL 216383 D October 2005 24 m Basics of the Browser Based Interface Nortel Switched Firewall Browser Based Interface Users Guide When selected this command updates the Nortel Switched Firewall with any pending configuration changes Pending changes are first validated for correctness see Validate Configuration on page 25 If no problems are found the changes are applied and put into effect If problems are found applicable warning and error messages are displayed Warnings are allowed and the changes are applied and put into effect Errors are not all
153. vides a numerical list with a choice of 1 or 2 to specify the affinity to VRRP Group in active active mode Update submits the changes to the pending configuration Back returns to the Network DHCP Relay Servers form without submitting changes to the pending configuration Browser Based Interface forms reference m 73 Nortel Switched Firewall Browser Based Interface Users Guide Interfaces form Use the Network Interfaces form to view and configure the settings for individual interfaces see Network Interfaces form Figure 48 Network Interfaces form Nortel Switched Firewall History Network gt Interfaces 7 Oct 4 2005 8 40 57 AM Logged as admin A a Interfaces EN System nter faces E NSF 5100 Ticker Enabled Address1 Address2 Vian Id Port VRRP Actions 9 Cluster VRID 1 No 0 0 0 0 0 0 0 0 0 0 0 1 IP1 0 0 0 0 ES Network IP2_ 0 0 0 0 DNS VRID 1 8 Yes 172 25 3 50 24 _0 0 0 0 24 0 4 IP1 0 0 0 0 E Ports IP2 _ 0 0 0 0 H Routes VRID 1 Yes 10 127 235 20 24 10 127 235 21 24 0 3 IP1 0 0 0 0 Delete DHCP Relay IP2 0 0 0 0 reseed VRID 1 a No 0 0 0 0 0 0 0 0 0 0 0 IP1 0 0 0 0 Gz B Bridges IP2 0 0 0 0 E VRRP E GRE Tunnels H Status The Firewall can be configured with up to 255 IP interfaces each representing the Firewall on the IP subnet Fields and buttons on the Network Interfaces form are as follows E Id specifies the numerical ID between 1 and 255 for the interface and can be used
Download Pdf Manuals
Related Search